Tipping Point is not the only vendor to do this. Most vendors now try
to write signatures based on the vulnerability vs the exploit. Here's a
real world example. SQL Slammer was the result of a vulnerability that
had been known for many months to the security community. Shortly after
it was first announced, there was a proof of concept exploit released
also. Some vendors watched for the known exploit, which was to watch
for a particular string in the released exploit code. Some vendors (NFR
being one of many), chose to watch for the vulnerability, which was
essentially a really long string sent via UDP on port 1434, which causes
a buffer overflow. When SQL Slammer hit, months later, vendors who were
watching for the vulnerability caught SQL Slammer without writing a new
signature. Vendors who wrote signatures looking for the exploit did
not. There are plenty of other reasons to not watch for exploits. For
example, products like ADMutate, which take existing exploits, and
mutate them to evade exploit-based signatures.
So, the reason you watch for vulnerabilities, instead of exploits, is to
catch the 0-day exploit of a known vulnerability, and to also catch
people trying to evade your IDS/IPS system. Often vendors will do
both. So, they might identify a known exploit as a known exploit. That
doesn't mean they're not watching for the vulnerability though. It just
means that they were trying to be as accurate as possible, so they saw
the vulnerability being exploited, and then identified the exploit as
something known. It's pretty simply logic, and allows a vendor to give
the most accurate alert when a vulnerability is exploited.
However, TippingPoint is not doing something unique here. They are
doing the right thing... but they're not the only ones. NFR, ISS, and
_many_ of the other big names are doing the same thing... not all
vendors... but many. So, you should not only ask, but test if they are
doing this. Just because a vendor says they watch for vulnerabilities
vs the exploit, doesn't mean they are actually doing it. Bring in the
products from various vendors, download the known exploits, then use
products such as ADMutate (and others) to try to evade the IDS/IPS.
Also, be sure to evaluate in IDS and IPS mode, if you plan on doing a
mixed deployment. Just because a vendor detects/stops something in IPS
mode, doesn't mean they'll do it in IDS mode... and vice versa.
hope this helps,
dave
David W. Goodrum
Senior Systems Engineer
(nfr)(security)
http://www.nfr.com
Jacob Winston wrote:
Can someone explain to me the difference in writing signatures based on
Vulnerabilities versus writing signatures based on Exploits? TippingPoint makes
a claim that their IPS is better because they write signatures based on
Vulnerabilities and not exploits. I don't quite understand this.
Thank you,
--------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------
--
David W. Goodrum
Senior Systems Engineer
(nfr)(security)
http://www.nfr.com
See NFR Security at these upcoming events:
ADRP Conference, May 23-25, Jacksonville, FL
Gartner IT Security Summit, June 6-8, Washington, DC
NetSec 2005, June 13-14, Scottsdale, AZ
Security Ventures 2005, July 13, New York, NY
--------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------
