IDS mailing list archives
Re: CVE selection for IDS/IPS signature rules
From: Enigma <enigma () security-fu com>
Date: Tue, 03 Jun 2008 15:00:13 -0400
Leon Ward wrote:
This is a little off topic. Not knocking Sourcefire or VRT (3D is great and I use the VRT sigs all the time) but I have found these type of signatures to have the highest rate of false positives. Don't get me wrong, these are useful when there isn't anything else but signatures developed from public or at least seen-in-the-wild exploits are much more accurate.A quick comment on the below point:2. Keep in mind that CVE is Common **Vulnerability* *and Exposures, so it covers any vulnerability where IDS/IPS are generally exploit-centric. How are you going to detect if a vulnerability is exploited if there is no publicly known exploit? How do you find something when you don't know what it looks like?All leading IPS venders provide (or at least claim to provide) a vulnerability based detection capability. The *idea* behind this is simple. Model the protocol and all the required triggering conditions for the vulnerability to be exploited, and it doesn't matter what exploit-code is being used.<Disclaimer : I work for Sourcefire>Snort has had this capability for years. For those interested a VRT (Sourcefire's Vulnerability Research Team) white paper is available that details this process with examples.-Leon On 3 Jun 2008, at 18:43, Enigma wrote:Ravi Chunduru wrote:Hi, There are over 30000 CVE vulnerability reports. Many IDS/IPS devices have around 4000-5000 signature rules. My guess is that these signatures may cover (detect)around 4000-7000 attacks. 23000 to 26000 CVEs, that is, significant number of CVEs are not covered by IDS/IPS devices. I am guessing that there is reason for this. IDS/IPS vendors may be selecting few CVEs for developing signatures. What is the selection criteria followed in industry? One criteria, I know is that Network IDS/IPS devices don't need to worry about attacks that can only be mounted on the local machine, that is, NIDS/NIPS devices only need to worry about detection of attacks mounted remotely. Are there any other considerations? Thanks Ravi------------------------------------------------------------------------Test Your IDS Is your IDS deployed correctly?Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------Couple of things: 1. If you are talking about Network IDS/IPS, not all vulnerabilitiesare remotely exploitable. Some local vulnerabilities can only be detected by a HIDS if they can be detected at all.2. Keep in mind that CVE is Common **Vulnerability* *and Exposures, so it covers any vulnerability where IDS/IPS are generally exploit-centric. How are you going to detect if a vulnerability is exploited if there is no publicly known exploit? How do you find something when you don't know what it looks like? ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly?Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more.------------------------------------------------------------------------
------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly?Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more.
------------------------------------------------------------------------
Current thread:
- Re: CVE selection for IDS/IPS signature rules abhicc285 (Jun 03)
- Re: CVE selection for IDS/IPS signature rules Jose Nazario (Jun 03)
- <Possible follow-ups>
- Re: CVE selection for IDS/IPS signature rules Enigma (Jun 03)
- RE: CVE selection for IDS/IPS signature rules Dimitris Patsos (Jun 03)
- Re: CVE selection for IDS/IPS signature rules Leon Ward (Jun 03)
- Re: CVE selection for IDS/IPS signature rules Enigma (Jun 05)
- Re: CVE selection for IDS/IPS signature rules Joel Esler (Jun 05)
- RE: CVE selection for IDS/IPS signature rules Srinivasa Addepalli (Jun 03)
- Re: CVE selection for IDS/IPS signature rules Ravi Chunduru (Jun 03)