Network Security: Detailed info on RE: Vulnerability vs. Exploit signatures and IPS??

Subject:	RE: Vulnerability vs. Exploit signatures and IPS??
Date:	Wed, 18 May 2005 15:47:47 -0400

A vulnerability is typically disclosed before an exploit exists to take
advantage of it. From this disclosure it can be possible to create a
signature that would fire when the conditions are met that would exploit
the vulnerability.

For example, a vulnerability may exist in a particular service that
doesn't check parameter sizes correctly, allowing a buffer overflow. No
known exploit exists, but it is possible for an application to monitor
the size of the parameter passed to that service, and if it is of
sufficient size to exploit the vulnerability, then block or alarm.

Once an exploit is released, it will typically have a more specific set
of conditions that can be monitored - perhaps a particular byte
sequence, string, padding or a specific parameter size. If those
specific conditions are met, then a specific alarm can be raised for
that named exploit.

Most modern IPS/IDS employ both "vulnerability signatures" and "exploit
signatures". Vulnerability signatures can be written sooner, but are
less specific, and can be prone to false positives (it's hard to
anticipate every possible violation of the standard that might be
legitimate, but resemble the attack) as well as false negatives (it's
not always possible to create an accurate vulnerability pattern that
catches every possible method of exploit). Exploit signatures come after
the fact, but are typically more accurate.

Jason

--
Jason Anderson
Director of Engineering and Product Management
janderson@lancope.com
http://www.lancope.com


-----Original Message-----
From: Jacob Winston [mailto:jctx09@yahoo.com] 
Sent: Monday, May 16, 2005 10:58 PM
To: focus-ids@securityfocus.com
Subject: Vulnerability vs. Exploit signatures and IPS??




Can someone explain to me the difference in writing signatures based on
Vulnerabilities versus writing signatures based on Exploits?
TippingPoint makes a claim that their IPS is better because they write
signatures based on Vulnerabilities and not exploits. I don't quite
understand this.

Thank you,

------------------------------------------------------------------------
--
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708

to learn more.
------------------------------------------------------------------------
--


--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------

<Prev in Thread]	Current Thread	[Next in Thread>
Vulnerability vs. Exploit signatures and IPS??, Jacob Winston Re: Vulnerability vs. Exploit signatures and IPS??, Matt . Carpenter Re: Vulnerability vs. Exploit signatures and IPS??, Ed Gibbs Re: Vulnerability vs. Exploit signatures and IPS??, Jordan Wiens RE: Vulnerability vs. Exploit signatures and IPS??, Bill Royds Re: Vulnerability vs. Exploit signatures and IPS??, David W. Goodrum Re: Vulnerability vs. Exploit signatures and IPS??, Matthew Watchinski Re: Vulnerability vs. Exploit signatures and IPS??, Iván Arce RE: Vulnerability vs. Exploit signatures and IPS??, Andrew Plato RE: Vulnerability vs. Exploit signatures and IPS??, Jason Anderson <=

Previous by Date:	RE: IDS ISS, Palmer, Paul (ISSAtlanta)
Next by Date:	Re: Vulnerability vs. Exploit signatures and IPS??, Ed Gibbs
Previous by Thread:	RE: Vulnerability vs. Exploit signatures and IPS??, Andrew Plato
Next by Thread:	Release of Honeywall CDROM 'Roo', Lance Spitzner
Indexes:	[Date] [Thread] [Top] [All Lists]