Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-IDS
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Vulnerability vs. Exploit signatures and IPS??

from [Bill Royds] Network Security [Permanent Link]
Subject: RE: Vulnerability vs. Exploit signatures and IPS??
Date: Wed, 18 May 2005 16:05:31 -0400 
This is a bit of marketspeak, but, in general, an exploit signature would look
at the strings in a particular exploit while vulnerability would try to match
any pattern that would trigger the vulnerability, not just a particular exploit.
  For example, program X has a buffer overflow if a certain field is greater
than 255 characters. An exploit is written for this vulnerability which has the
pattern "AAAAAAAAAA...AAAShEllCodeZZZZ" (256 characters) followed by the shell
code strings. An exploit signature would look for the particular pattern in this
exploit (string of "A"s followed by the word "ShEllCode" followed by the NOP
sled followed by some shell code. A vulnerability signature would look for any
string longer than 255 characters and directed to this particular field in this
application. This is harder to write to avoid false positives, but would catch
new exploits, not just the exploit identified by the first signature.

-----Original Message-----
From: Jacob Winston [mailto:jctx09@yahoo.com] 
Sent: Monday, May 16, 2005 10:58 PM
To: focus-ids@securityfocus.com
Subject: Vulnerability vs. Exploit signatures and IPS??




Can someone explain to me the difference in writing signatures based on
Vulnerabilities versus writing signatures based on Exploits? TippingPoint makes
a claim that their IPS is better because they write signatures based on
Vulnerabilities and not exploits. I don't quite understand this.

Thank you,

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------


--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Vulnerability vs. Exploit signatures and IPS??, Jordan Wiens
Next by Date:  Packet/Protocol Anomaly Detection with IDS, Frlinger
Previous by Thread:  Re: Vulnerability vs. Exploit signatures and IPS??, Jordan Wiens
Next by Thread:  Re: Vulnerability vs. Exploit signatures and IPS??, David W. Goodrum
Indexes:  [Date] [Thread] [Top] [All Lists]