Re: CVE selection for IDS/IPS signature rules

[Leon Ward <seclists () rm-rf co uk>]

A quick comment on the below point:

> 2. Keep in mind that CVE is Common **Vulnerability* *and Exposures,
>     so it covers any vulnerability where IDS/IPS are generally
>     exploit-centric.  How are you going to detect if a vulnerability
>     is exploited if there is no publicly known exploit?  How do you
>     find something when you don't know what it looks like?

All leading IPS venders provide (or at least claim to provide) a  
vulnerability based detection capability.
The *idea* behind this is simple. Model the protocol and all the  
required triggering conditions for the vulnerability to be exploited,  
and it doesn't matter what exploit-code is being used.

<Disclaimer : I work for Sourcefire>

Snort has had this capability for years. For those interested a VRT  
(Sourcefire's Vulnerability Research Team) white paper is available  
that details this process with examples.

-Leon


On 3 Jun 2008, at 18:43, Enigma wrote:

> Ravi Chunduru wrote:
> > Hi,
> >
> > There are over 30000 CVE vulnerability reports.  Many IDS/IPS devices
> > have around 4000-5000 signature rules. My guess is that these
> > signatures may cover (detect)around 4000-7000 attacks.  23000 to  
> > 26000
> > CVEs, that is, significant number of CVEs are not covered by IDS/IPS
> > devices.
> >
> > I am guessing that there is reason for this. IDS/IPS vendors may be
> > selecting few CVEs for developing signatures. What is the selection
> > criteria followed in industry? One criteria, I know is that Network
> > IDS/IPS devices don't need to worry about attacks that can only be
> > mounted on the local machine, that is,  NIDS/NIPS devices only need  
> > to
> > worry about detection of attacks mounted remotely. Are there any  
> > other
> > considerations?
> >
> > Thanks
> > Ravi
> >
> > ------------------------------------------------------------------------
> > Test Your IDS
> >
> > Is your IDS deployed correctly?
> > Find out quickly and easily by testing it with real-world attacks  
> > from CORE IMPACT.
> > Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
> >  to learn more.
> > ------------------------------------------------------------------------
> Couple of things:
>
>  1. If you are talking about Network IDS/IPS, not all vulnerabilities
>     are remotely exploitable.  Some local vulnerabilities can only  
> be      detected by a HIDS if they can be detected at all.
>  2. Keep in mind that CVE is Common **Vulnerability* *and Exposures,
>     so it covers any vulnerability where IDS/IPS are generally
>     exploit-centric.  How are you going to detect if a vulnerability
>     is exploited if there is no publicly known exploit?  How do you
>     find something when you don't know what it looks like?
>
>
> ------------------------------------------------------------------------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it with real-world attacks  
> from CORE IMPACT.
> Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
>  to learn more.
> ------------------------------------------------------------------------


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------