abhicc - I didn't understand what you mean by "to have a signature or rule which will create a region where other vulnerability specific rules can operate." What I meant to tell is, there are more chances for false positive in client-side HTTP. Understanding of protocol is necessary, but I don't understand how it's related to false positive. There might be a vulnerability in a webserver where if GET request is more than 256 characters might crash, doesn't mean there cannot be GET request with more than 256 characters. (if you consider writing generic filters)
hirosh - We are not coming to the argument of exploit Vs vulnerability nor about how fast we can write rules. Say tackling file format vulnerabilities, you can do some sort of file format decoder, but that too will be complex. Specially client-side, there are way too many evasion tactics. You can also be creative in writing exploit specific filters :) If we just look for AAAA, it will be hard to survive in the industry :) -Abhishek On 8 Aug 2007 10:22:39 -0000, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > Exploit specific means -> u have less idea about the vulnerability and u want > to complete the rules fast?? > > If u have a good idea about vulnerability and u can do a better protocol or > whatever parsing needed ,then why go for > > exploit specific ,IT dosent looks professional ,U can bypassed by just > changing AAA to BBB bobo.. > > ------------------------------------------------------------------------ > Test Your IDS > > Is your IDS deployed correctly? > Find out quickly and easily by testing it > with real-world attacks from CORE IMPACT. > Go to > http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw > to learn more. > ------------------------------------------------------------------------ > > ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
