IDS mailing list archives

RE: Vulnerability vs. Exploit signatures and IPS??

From: "Bill Royds" <whitehats () royds net>
Date: Wed, 18 May 2005 16:05:31 -0400

This is a bit of marketspeak, but, in general, an exploit signature would look
at the strings in a particular exploit while vulnerability would try to match
any pattern that would trigger the vulnerability, not just a particular exploit.
  For example, program X has a buffer overflow if a certain field is greater
than 255 characters. An exploit is written for this vulnerability which has the
pattern "AAAAAAAAAA...AAAShEllCodeZZZZ" (256 characters) followed by the shell
code strings. An exploit signature would look for the particular pattern in this
exploit (string of "A"s followed by the word "ShEllCode" followed by the NOP
sled followed by some shell code. A vulnerability signature would look for any
string longer than 255 characters and directed to this particular field in this
application. This is harder to write to avoid false positives, but would catch
new exploits, not just the exploit identified by the first signature.

-----Original Message-----
From: Jacob Winston [mailto:jctx09 () yahoo com] 
Sent: Monday, May 16, 2005 10:58 PM
To: focus-ids () securityfocus com
Subject: Vulnerability vs. Exploit signatures and IPS??




Can someone explain to me the difference in writing signatures based on
Vulnerabilities versus writing signatures based on Exploits? TippingPoint makes
a claim that their IPS is better because they write signatures based on
Vulnerabilities and not exploits. I don't quite understand this.

Thank you,

--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------


--------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from 
CORE IMPACT.
Go to http://www.securityfocus.com/sponsor/CoreSecurity_focus-ids_040708 
to learn more.
--------------------------------------------------------------------------

Current thread:

Vulnerability vs. Exploit signatures and IPS?? Jacob Winston (May 18)
- Re: Vulnerability vs. Exploit signatures and IPS?? Matt . Carpenter (May 19)
- Re: Vulnerability vs. Exploit signatures and IPS?? Ed Gibbs (May 19)
- Re: Vulnerability vs. Exploit signatures and IPS?? Jordan Wiens (May 19)
- RE: Vulnerability vs. Exploit signatures and IPS?? Bill Royds (May 19)
- Re: Vulnerability vs. Exploit signatures and IPS?? David W. Goodrum (May 19)
- Re: Vulnerability vs. Exploit signatures and IPS?? Matthew Watchinski (May 19)
- Re: Vulnerability vs. Exploit signatures and IPS?? Iván Arce (May 24)
- <Possible follow-ups>
- RE: Vulnerability vs. Exploit signatures and IPS?? Andrew Plato (May 19)
- RE: Vulnerability vs. Exploit signatures and IPS?? Jason Anderson (May 19)