A quick comment on the below point:
2. Keep in mind that CVE is Common **Vulnerability* *and Exposures,
so it covers any vulnerability where IDS/IPS are generally
exploit-centric. How are you going to detect if a vulnerability
is exploited if there is no publicly known exploit? How do you
find something when you don't know what it looks like?
All leading IPS venders provide (or at least claim to provide) a
vulnerability based detection capability.
The *idea* behind this is simple. Model the protocol and all the
required triggering conditions for the vulnerability to be exploited,
and it doesn't matter what exploit-code is being used.
<Disclaimer : I work for Sourcefire>
Snort has had this capability for years. For those interested a VRT
(Sourcefire's Vulnerability Research Team) white paper is available
that details this process with examples.
-Leon
On 3 Jun 2008, at 18:43, Enigma wrote:
Ravi Chunduru wrote:
Hi,
There are over 30000 CVE vulnerability reports. Many IDS/IPS devices
have around 4000-5000 signature rules. My guess is that these
signatures may cover (detect)around 4000-7000 attacks. 23000 to
26000
CVEs, that is, significant number of CVEs are not covered by IDS/IPS
devices.
I am guessing that there is reason for this. IDS/IPS vendors may be
selecting few CVEs for developing signatures. What is the selection
criteria followed in industry? One criteria, I know is that Network
IDS/IPS devices don't need to worry about attacks that can only be
mounted on the local machine, that is, NIDS/NIPS devices only need
to
worry about detection of attacks mounted remotely. Are there any
other
considerations?
Thanks
Ravi
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks
from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------
Couple of things:
1. If you are talking about Network IDS/IPS, not all vulnerabilities
are remotely exploitable. Some local vulnerabilities can only
be detected by a HIDS if they can be detected at all.
2. Keep in mind that CVE is Common **Vulnerability* *and Exposures,
so it covers any vulnerability where IDS/IPS are generally
exploit-centric. How are you going to detect if a vulnerability
is exploited if there is no publicly known exploit? How do you
find something when you don't know what it looks like?
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks
from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------
