RE: [Full-disclosure] VML Exploit vs. AV/IPS/IDS signatures

To: "'Pukhraj Singh'" <pukhraj.singh@xxxxxxxxx>
Subject: RE: [Full-disclosure] VML Exploit vs. AV/IPS/IDS signatures
From: "avivra" <avivra@xxxxxxxxx>
Date: Thu, 28 Sep 2006 19:04:00 +0200
Cc: <karmic_nirvana@xxxxxxxxx>, <EArsal@xxxxxxxxxxx>, <full-disclosure@xxxxxxxxxxxxxxxxx>, <bugtraq@xxxxxxxxxxxxxxxxx>
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:from:to:cc:subject:date:message-id:mime-version:content-type:content-transfer-encoding:x-mailer:in-reply-to:x-mimeole:thread-index; b=NY5EZk3sO7enbKYseQ8RKSVXco8+gL7yVnWg0COf17B6sMA/K/6onw4OJUM0VopP0a08PvhTOnGTys2TcyKLKgNoHA7EpXWxsy0qXBd00uI3k9lcMDJZTSWyrmk4CB6sR6hIDnb5X6UQLFe15ap1q2WkcaWaK9Q4skauhTaLD2c=
In-reply-to: <1a9f19350609272237o67ba58b4na394cb713fdf77c6@xxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Thread-index: AcbiwC6YM5UEJNHzSiujTJiyBw7L5QAXxYjg

With any luck, not too much. The point is that there is a way to do it, and
if there is a way, someone will use it in a bad manner eventually.
We can only hope that the users will count more on vulnerability/behavior
based security solutions, and not exploit based security solutions.

-- Aviv.

-----Original Message-----
From: Pukhraj Singh [mailto:pukhraj.singh@xxxxxxxxx] 
Sent: Thursday, September 28, 2006 7:37 AM
To: avivra
Cc: karmic_nirvana@xxxxxxxxx; EArsal@xxxxxxxxxxx;
full-disclosure@xxxxxxxxxxxxxxxxx; bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: [Full-disclosure] VML Exploit vs. AV/IPS/IDS signatures

And you tell me how many of these variants you will actually find in
the wild. Won't be a significant number I bet.

Cheers!
Pukhraj

On 9/27/06, avivra <avivra@xxxxxxxxx> wrote:
> Hi,
>
> > i.e. I can't afford to buy "specialized" security tools/devices for
> > "speclialized" attacks unless my company relies heavily on web/content
> > services.
>
> So, you will buy "specialized" security tools like firewall or
> Anti-Virus, but not web content filtering tool?
>
> > In our company, we established a information-sharing
> > network with other security companies. So the real-time exploit-facing
> > signatures were then subjected to live traffic, honeypots and countless
> > variants; They seemed to work out pretty well.
>
> I would like to see how your real-time signatures get updated with the
> randomization implemented in the new VML metasploit module. Your
> "countless" exploit variants will become really innumerable.
>
> The problem is that the signatures are written for the exploit, and
> not for the vulnerability.
>
> -- Aviv.
>

References:
- Re: [Full-disclosure] VML Exploit vs. AV/IPS/IDS signatures
  - From: Pukhraj Singh

Prev by Date: [ MDKSA-2006:170-1 ] - Updated webmin packages fix XSS vulnerability
Next by Date: [USN-353-1] openssl vulnerabilities
Previous by thread: Re: [Full-disclosure] VML Exploit vs. AV/IPS/IDS signatures
Next by thread: Re: [Full-disclosure] VML Exploit vs. AV/IPS/IDS signatures
Index(es):
- Date
- Thread