Its is not a question if which is better in the vacum (signatures based
on vulnenabilities vs. signatures based on exploits) but rather which do
you or your vendor does best.
To do it right, developing IDS/IPS signatures based on exploits requires
the researcher/signature writer to understand those exploits and to be
able to discern which portions of them are fixed requirements to trigger
the vulnerability and which portions are just implementation decisions
of the exploit writer. Some shortcuts can be taken here if the
researcher has a very good understanding of exploit 'techniques' rather
than just instances of exploits that are publicly available, otherwise
the job turns into a reactive arms race against the available exploits.
Good signatures based solely on the vulnerabilities require the
researcher/signature writer to fully understand the vuln and all the
possible ways to exploit it. For this to be effective, once again, the
researcher needs a very good understanding of exploit 'techniques'
and/or exploit writing since he is basically trying to outwit ALL
possible exploits and hence every exploit writer out there or risk
having false negatives.
For the pure anomaly behavior detection approach the researcher needs
then to figure out ALL possible legitimate uses and operational
enviroments of the vulnerable component or risk having false positives.
There are numerous examples of bad signatures (and possibly vendor
patches) that were developed presumably based only on available exploits
and there are numerous examples of bad signatures (and possibly vendor
patches) presumably built using vulnerability analysis as the sole basis
for development.
Common sense leads me to think that combining both methods is a good
idea. Also there is a clear tradeoff between time and quality of the
signature/filter: Assuming the the signature writing team has equally
balanced skills for both methods they will need to make a decision
between getting signatures out faster and or getting more accurate
signatures out. To improve the process one would need to either increae
the reserach team's capacity or improve their skills (or both).
Disclaimer: I work for a company that sells an automated penetration
testing product that includes professionally developed exploits, it is
often used by our customers to develop IDS/IPS signatures , test IDS/IPS
deployments and various other things. On the other hand since we write
exploits for known vulns and ocasionally find new vulns I know there is
a serious amount of vulnerability research involved on all cases. So I
sort of have an insight of both methods.
-ivan
Jacob Winston wrote:
Can someone explain to me the difference in writing signatures based on
Vulnerabilities versus writing signatures based on Exploits? TippingPoint makes
a claim that their IPS is better because they write signatures based on
Vulnerabilities and not exploits. I don't quite understand this.
Thank you,
--------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------
--
---
To strive, to seek, to find, and not to yield.
- Alfred, Lord Tennyson Ulysses,1842
Ivan Arce
CTO
CORE SECURITY TECHNOLOGIES
46 Farnsworth Street
Boston, MA 02210
Ph: 617-399-6980
Fax: 617-399-6987
ivan.arce@coresecurity.com
www.coresecurity.com
PGP Fingerprint: C7A8 ED85 8D7B 9ADC 6836 B25D 207B E78E 2AD1 F65A
--------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708
to learn more.
--------------------------------------------------------------------------
