Hi Aviv/Pukhraj & others:As a security professional and researchers, our aim is to provide more in-depth information on intrusion (security) aspects, for example, some virus out-break, new windows vulnerability etc. Aviv is right by saying that signatures should match the vulnerability, not the exploits. Signature writing is a very responsible task and, of course, technical too. But unfortunately, there are not many people, who have required knowledge ( i m talking in context to india). but companies need people with the requirement of writing signatures. So, in this process, so called security professional start looking at exploits and write signatures (just to mention, I have seen few snort signatures that match "Shellcode part"!!!) . As Pukharaj mentioned that there are not many variants found in the wild, such signatures work and company and hired-security-professionals are happy. I have heard ( I am not sure whether it is really true) that few products (I don't even know the name!!) are simply dependent on open sources (like Snort or bleeding snort or nessus!!!!) for signatures. To overcome this (pathetic) situation, the solution, being suggested by Pukhraj makes sense i.e. collect as much exploits as possible and then try to analyze them and write signature. Here I want to add one thing that once we have a number of exploits, we should, at least now, try to understand the vulnerability based on the information present in all the exploits and try to come out with a common signature (or a common set of signatures).
regards -Sanjay At 11:07 AM 9/28/2006, Pukhraj Singh wrote:
And you tell me how many of these variants you will actually find in the wild. Won't be a significant number I bet. Cheers! Pukhraj On 9/27/06, avivra <avivra@xxxxxxxxx> wrote:Hi, > i.e. I can't afford to buy "specialized" security tools/devices for > "speclialized" attacks unless my company relies heavily on web/content > services. So, you will buy "specialized" security tools like firewall or Anti-Virus, but not web content filtering tool? > In our company, we established a information-sharing > network with other security companies. So the real-time exploit-facing > signatures were then subjected to live traffic, honeypots and countless > variants; They seemed to work out pretty well. I would like to see how your real-time signatures get updated with the randomization implemented in the new VML metasploit module. Your "countless" exploit variants will become really innumerable. The problem is that the signatures are written for the exploit, and not for the vulnerability. -- Aviv.
Sanjay Rawat Security Research Engineer INTOTO Software (India) Private Limited Uma Plaza, Nagarjuna Hills PunjaGutta,Hyderabad 500082 | India Office: + 91 40 23358927/28 Extn 424 Website : www.intoto.com Homepage: http://sanjay-rawat.tripod.com Computer Security: A little delay to break into your network. -- DSR