Re: Re: Re: Re: HTTP traffic

[maverick.avi () gmail com]

well what abhicc might have meant is to, have a proper protocol parser/rule, which will decode the data on the wire 
correctly and specifically to a protocol. And using this decide whether a vulnerability/exploit exists. And not 
directly checking for Vulnerability in the data on the wire stream. All data has to be seen in context with the 
protocol its coming for. Same sequence of bytes have diff meanings for different protocols/versions.

Regarding Exploit vs Vuln Argument. Well going with the vulnerability is always a better option. Being exploit specific 
means, that whenever someone smart out there comes up with a sequence of code different enough, the IDS/IPS gets 
bypassed. And devs have to scram to cover this new one.

Having exploit specific signatures also means having more signatures on the box, whereas all these exploits might be 
using a common vector, and if the signature/rule was vulnerability specific, only 1 signature could have stopped all 
the exploits. Just depends how much work the DEV/QA team wanna put in :-)

And i agree with Hirosh, better to do take time and do it once and do it right, than modify it everytime a new version 
of the exploit comes out.

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------