|
|
Focus on IDS
CVE selection for IDS/IPS signature rules May 29 2008 05:32AM Ravi Chunduru (ravi is chunduru gmail com) (2 replies) Re: CVE selection for IDS/IPS signature rules Jun 03 2008 05:43PM Enigma (enigma security-fu com) (2 replies) Re: CVE selection for IDS/IPS signature rules May 29 2008 06:35PM Ron Gula (rgula tenablesecurity com) (1 replies) RE: CVE selection for IDS/IPS signature rules Jun 02 2008 06:33PM Srinivasa Addepalli (srao intoto com) |
|
Privacy Statement |
> 2. Keep in mind that CVE is Common **Vulnerability* *and Exposures,
> so it covers any vulnerability where IDS/IPS are generally
> exploit-centric. How are you going to detect if a vulnerability
> is exploited if there is no publicly known exploit? How do you
> find something when you don't know what it looks like?
All leading IPS venders provide (or at least claim to provide) a
vulnerability based detection capability.
The *idea* behind this is simple. Model the protocol and all the
required triggering conditions for the vulnerability to be exploited,
and it doesn't matter what exploit-code is being used.
<Disclaimer : I work for Sourcefire>
Snort has had this capability for years. For those interested a VRT
(Sourcefire's Vulnerability Research Team) white paper is available
that details this process with examples.
-Leon
On 3 Jun 2008, at 18:43, Enigma wrote:
> Ravi Chunduru wrote:
>> Hi,
>>
>> There are over 30000 CVE vulnerability reports. Many IDS/IPS devices
>> have around 4000-5000 signature rules. My guess is that these
>> signatures may cover (detect)around 4000-7000 attacks. 23000 to
>> 26000
>> CVEs, that is, significant number of CVEs are not covered by IDS/IPS
>> devices.
>>
>> I am guessing that there is reason for this. IDS/IPS vendors may be
>> selecting few CVEs for developing signatures. What is the selection
>> criteria followed in industry? One criteria, I know is that Network
>> IDS/IPS devices don't need to worry about attacks that can only be
>> mounted on the local machine, that is, NIDS/NIPS devices only need
>> to
>> worry about detection of attacks mounted remotely. Are there any
>> other
>> considerations?
>>
>> Thanks
>> Ravi
>>
>> ------------------------------------------------------------------------
>> Test Your IDS
>>
>> Is your IDS deployed correctly?
>> Find out quickly and easily by testing it with real-world attacks
>> from CORE IMPACT.
>> Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaig
n=intro_sfw
>> to learn more.
>> ------------------------------------------------------------------------
>>
>>
>>
> Couple of things:
>
> 1. If you are talking about Network IDS/IPS, not all vulnerabilities
> are remotely exploitable. Some local vulnerabilities can only
> be detected by a HIDS if they can be detected at all.
> 2. Keep in mind that CVE is Common **Vulnerability* *and Exposures,
> so it covers any vulnerability where IDS/IPS are generally
> exploit-centric. How are you going to detect if a vulnerability
> is exploited if there is no publicly known exploit? How do you
> find something when you don't know what it looks like?
>
>
> ------------------------------------------------------------------------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it with real-world attacks
> from CORE IMPACT.
> Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaig
n=intro_sfw
> to learn more.
> ------------------------------------------------------------------------
>
>
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaig
n=intro_sfw
to learn more.
------------------------------------------------------------------------
[ reply ]