Maybe this is an example for Q(2) ( http://vil.nai.com/vil/Content/v_vul31280.htm ), such that the first exploit for MS07-029 vulnerability was found on 4/14/2007, its signature was released on 4/17/2007, and the signature was continually updated with the discovery of some new exploits. From the statement "McAfee Avert Labs will continue to update our coverage, as needed, as new exploit vectors are discovered and as new threats emerge", we know that the signature should be an exploit-based signature.
Regards Yong >> >Greetings to everyone. > > I have some questions about exploit-based and vulnerability-based signature > of IDS. > > I heard that exploit-based signature is dead (useless), since > vulnerability-based signatures are more effective than exploit-based > signatures in that they can detect unknown exploits if a vulnerability can be > utilized by many exploits. However, I don't agree with this argument, for the > following reasons: >(1) When a vulnerability is unknown, exploit-based might be a good solution. >(2) Exploit-based signatures are still irrepetable for early defense of >zero-day worms or zero-day exploits, since exploit-based signatures can be >generated more timely. >(3) In the perfect world, we need to generate both types of signatures (even >finally we only use vulnerability-based signature in detection). That way we >not only know we were attacked, but we know with what type of exploit; or that >it's a new unknown variant of an exploit. That's useful information in and of >itself. > > To support the above viewpoints, I have some concrete questions needed > to be answered: >(1) Were there some attacks that have exploit-based signature but have not >vulnerability-based signature? Can someone give me some exmples? >(2) Were there some examples to show that exploit-based signatures were >generated much quickly and timely than the generation of vulnerability-based >signatures for the historical worms or attacks ? >(3) Does current IDS (e.g. Snort) use both signature types of exploit-based >and vulnerability? If so, what percentage of sigantures are exploit-based? > > >Thanks for you any input of discussing "exploit-based vs. vulnerability-based >signature" ! > > > >
