On 13/03/2009 21.05, Paul Palmer wrote:
So, for example, in some (well, at least one) IDS products, the signature writer can write a single signature to recognize attempts to exploit a vulnerability in a data structure embedded within a Quicktime Movie file even before he knows how the attacker will encode the exploit.
Paul, I think the IDS you're talking about is unique (so far), and I believe I know which one you're referring to :) To go back to Terry's question, Paul's example shows something that you cannot really do right now with Snort. You would need to rewrite the detection engine from scratch, in particular the regular expression engine (I won't mention the details, but the whole thing is related with grammar and automaton theory). We had a similar case when monitoring a network with an anomaly-based NIDS. Snort was able to detect only one instance of the attack, while the anomaly-based NIDS detected all the attack instances. To achieve the same detection rate with Snort, we should have written another 255 rules...which would have make the whole system just run slower (and to detect just one attack!)... Signature-based IDSs are moving towards vulnerability signatures, because their application is of great interest especially for IPS vendors. However, the power of vulnerability signatures has not been fully explored yet.
-- Damiano Bolzoni [email protected] Homepage http://dies.ewi.utwente.nl/~bolzonid/ PGP public key http://dies.ewi.utwente.nl/~bolzonid/public_key.asc Skype ID: [email protected] Distributed and Embedded Security Group - University of Twente P.O. Box 217 7500AE Enschede, The Netherlands Phone +31 53 4892477 Mobile +31 629 008724 ZILVERLING building, room 3013
