TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to [EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems! ----------------------------------------------------------------------------
The answer to your question is "no": there is no logic behind it. A good example is the recent apache worm. We released an advisory and pattern-match rules for the worm over the weekend. At the same time, we added a "protocol-anomaly" signature, and released an XPU on Tuesday. Pattern-match signatures that target the exploit can be quickly generated, but they suffer from the fact that they would not be able to detect variations of the exploit. For example, much like Nimda and CodeRed, we expect that there is a high chance that somebody will take the code for this worm and make it "better". The protocol-anomaly signature released on Tuesday should catch all variations of the worm, and any other exploit of the vulnerability (i.e. it is a "vulnerability" signature rather than an "exploit" signature). These vulnerability signatures are harder to create, which is why it takes two extra days for them to appear. Historically, we've have been coming out with XPUs at least once a month. Protocol-analysis techniques are better than pure pattern match signatures, but they take longer to create. However, we have fine tuned our processes such that we can create them easier, so we will be bringing that cycle in. In theory, we are setting things up for possible daily updates, but at this stage, the hacker community isn't coming up with new exploits at that rate. --- Samson Martinez <[EMAIL PROTECTED]> wrote: > Hello, > > Is there any logic behind the timing of XPUs for RealSecure Network > Sensors (or all XPUs for that matter)? I've just recently been given > ownership and responsibility for our RealSecure IDS solution and was > reviewing the information at http://www.iss.net/db_data/xpu/RS.php and > noticed the time between different updates. Is there a schedule that > takes precedence over the need for updates? Are user-defined signatures > the provided solution for any threats that arise during the time-between > updates? Any info is greatly appreciated. > > Samson Martinez > __________________________________________________ Do you Yahoo!? Yahoo! News - Today's headlines http://news.yahoo.com
