Most vendors claim that. Some do it.
Let's consider the following hypothetical situation. A vulnerability is
announced in a product, but it's a particularly convoluted and difficult
buffer overflow and I don't quite know how it works. I just wait a bit,
and sure enough; the Metasploit guys add an exploit for it. Now I run
that exploit against a vulnerable server and I sniff the network traffic
it generates. I write a signature based on that traffic that seems to be
'good' in that it doesn't have any other false positives on a large flood
of legitimate traffic to the server, and it also successfully catches the
compromise via metasploit every time.
It's quite possible that because I didn't understand which part of the
attack was the actual necessary exploit and which was just metasploit's
padding for the overflow, or the backdoor code, or whatever, that someone
else could come along and write an entirely new exploit that would not
trigger my signature, or even just modify the default metasploit attack,
and likewise escape my signature.
A signature written for the vulnerability means that (baring certain types
of obfuscation and evasion) any exploit generated will trigger that
signature if it triggers the vulnerability.
This is actually a fairly difficult thing to do in some situations. Most
signature writers will of course try to write to the vulnerability, but
because of the difficulty, you often see ones written for an exploit.
Of course, in the perfect world, we have both types of signatures. That
way you not only know you were attacked, but you know with what type of
exploit; or that it's a new unknown variant of an exploit. That's useful
information in and of itself.
--
Jordan Wiens, CISSP
UF Network Security Engineer
(352)392-2061
On Mon, 17 May 2005, Jacob Winston wrote:
Can someone explain to me the difference in writing signatures based on
Vulnerabilities versus writing signatures based on Exploits? TippingPoint makes
a claim that their IPS is better because they write signatures based on
Vulnerabilities and not exploits. I don't quite understand this.
Thank you,
--------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------
--------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------
