Re: Re: Re: Re: HTTP traffic

well what abhicc might have meant is to, have a proper protocol parser/rule, 
which will decode the data on the wire correctly and specifically to a 
protocol. And using this decide whether a vulnerability/exploit exists. And not 
directly checking for Vulnerability in the data on the wire stream. All data 
has to be seen in context with the protocol its coming for. Same sequence of 
bytes have diff meanings for different protocols/versions.

Regarding Exploit vs Vuln Argument. Well going with the vulnerability is always 
a better option. Being exploit specific means, that whenever someone smart out 
there comes up with a sequence of code different enough, the IDS/IPS gets 
bypassed. And devs have to scram to cover this new one.

Having exploit specific signatures also means having more signatures on the 
box, whereas all these exploits might be using a common vector, and if the 
signature/rule was vulnerability specific, only 1 signature could have stopped 
all the exploits. Just depends how much work the DEV/QA team wanna put in :-)

And i agree with Hirosh, better to do take time and do it once and do it right, 
than modify it everytime a new version of the exploit comes out.

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to 
http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
 
to learn more.
------------------------------------------------------------------------