By looking for the characteristics of a vulnerability it is possible to
detect all possible exploits that might try and utilize that
vulnerability. Where as, looking for the signature of an exploit,
leaves you vulnerable to new exploits utilizing the same vulnerability.
A simple analogy to this is say you want to find a particular person in
a crowd of people. You can either walk around with a picture of that
person and hold it up next to everyone in the crowd (signature based
detection) or you can find the person based on unique attributes about
them (rule based detection, as I like to call it). Signature based
detection is vulnerable to say the person wearing a hat, or glasses, or
a beard. Rule based detection isn't, as it uses a set of unchangeable
unique attributes that must exist for it to match on that person (I like
to call these triggering conditions). Like the distance to the corner
of each eye from their nose, or the shape and curve of the cheek bones.
To better understand this difference lets take a real world example.
Here is the bleedingsnort rule for the IIS PCT vulnerability (MS04-011)
alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"BLEEDING-EDGE
THCIISLame IIS SSL Exploit Attempt";
reference:url,www.thc.org/exploits/THCIISSLame.c;
reference:url,isc.sans.org/diary.php?date=2004-07-17;
content:"THCOWNZIIS!"; flow:to_server,established;
classtype:web-application-attack; sid:2000559; rev:6;)
If your not familiar with Snort this signature it essentially looks for
the content of "THCOWNZIIS!" in any packet heading to port 443 on the
network defined by $HOME_NET. The public exploit for this vulnerability
contains "THCOWNZIIS!" which is probably why the bleedingsnort guys
wrote this signature. Unfortunately this string isn't necessary for
this exploit to work, so it could just as easily be "MATTOWNIIS", and
the exploit would still function correctly. This means that the
signature above is exploit specific and can be easily avoided (unless
all you want to catch is this particular exploit).
I think most people want to catch all exploits that attempt to exploit a
particular vulnerability, which is why you need rules that catch the
triggering conditions of the vulnerability (detect the vulnerability not
the exploit). In my opinion, writing exploit-specific signatures brings
very little value to the table, and also gives people a false sense of
security, as any intelligent attacker will remove these types of strings
from public exploits if they need to use them.
Since I'm a vendor I'm not going to simply tout the Sourcefire solution,
however, I will say the Sourcefire VRT strives to detect the
vulnerability and not the exploit with every rule that we release. Ok
so i touted a little.
Cheers,
Matthew Watchinski
Director, Vulnerability Research
Sourcefire, Inc.
Jacob Winston wrote:
Can someone explain to me the difference in writing signatures based on
Vulnerabilities versus writing signatures based on Exploits? TippingPoint makes
a claim that their IPS is better because they write signatures based on
Vulnerabilities and not exploits. I don't quite understand this.
Thank you,
--------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------
--------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------
