Re: Vulnerability vs. Exploit signatures and IPS??

[Matthew Watchinski <mwatchinski () sourcefire com>]

By looking for the characteristics of a vulnerability it is possible to 
detect all possible exploits that might try and utilize that 
vulnerability.  Where as, looking for the signature of an exploit, 
leaves you vulnerable to new exploits utilizing the same vulnerability.

A simple analogy to this is say you want to find a particular person in 
a crowd of people.  You can either walk around with a picture of that 
person and hold it up next to everyone in the crowd (signature based 
detection) or you can find the person based on unique attributes about 
them (rule based detection, as I like to call it).  Signature based 
detection is vulnerable to say the person wearing a hat, or glasses, or 
a beard.  Rule based detection isn't, as it uses a set of unchangeable 
unique attributes that must exist for it to match on that person (I like 
to call these triggering conditions).  Like the distance to the corner 
of each eye from their nose, or the shape and curve of the cheek bones.

To better understand this difference lets take a real world example.

Here is the bleedingsnort rule for the IIS PCT vulnerability (MS04-011)

alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"BLEEDING-EDGE 
THCIISLame IIS SSL Exploit Attempt"; 
reference:url,www.thc.org/exploits/THCIISSLame.c; 
reference:url,isc.sans.org/diary.php?date=2004-07-17; 
content:"THCOWNZIIS!"; flow:to_server,established; 
classtype:web-application-attack; sid:2000559; rev:6;)

If your not familiar with Snort this signature it essentially looks for 
the content of "THCOWNZIIS!" in any packet heading to port 443 on the 
network defined by $HOME_NET.  The public exploit for this vulnerability 
contains "THCOWNZIIS!" which is probably why the bleedingsnort guys 
wrote this signature.  Unfortunately this string isn't necessary for 
this exploit to work, so it could just as easily be "MATTOWNIIS", and 
the exploit would still function correctly.  This means that the 
signature above is exploit specific and can be easily avoided (unless 
all you want to catch is this particular exploit).

I think most people want to catch all exploits that attempt to exploit a 
particular vulnerability, which is why you need rules that catch the 
triggering conditions of the vulnerability (detect the vulnerability not 
the exploit).  In my opinion, writing exploit-specific signatures brings 
very little value to the table, and also gives people a false sense of 
security, as any intelligent attacker will remove these types of strings 
from public exploits if they need to use them.

Since I'm a vendor I'm not going to simply tout the Sourcefire solution, 
however, I will say the Sourcefire VRT strives to detect the 
vulnerability and not the exploit with every rule that we release.  Ok 
so i touted a little.

Cheers,
Matthew Watchinski
Director, Vulnerability Research
Sourcefire, Inc.

Jacob Winston wrote:

> Can someone explain to me the difference in writing signatures based on Vulnerabilities versus writing signatures based on 
> Exploits? TippingPoint makes a claim that their IPS is better because they write signatures based on Vulnerabilities and not 
> exploits. I don't quite understand this.
>
> Thank you,
>
> --------------------------------------------------------------------------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it with real-world attacks from 
> CORE IMPACT.
> Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
> to learn more.
> --------------------------------------------------------------------------
>
>  


--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------