|
|
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: Survey: Use of Same Attack/Same Codebase content decision in VDB's
The following comments are from Steve Northcutt. > >From Stephen.Northcutt@bmdo.osd.mil Thu Jul 1 11:49:33 1999 >Return-Path: <Stephen.Northcutt@bmdo.osd.mil> >Received: from hqbmdofs03.bmdo.osd.mil (firewall.bmdo.osd.mil [134.152.2.194] (may be forged)) > by linus.mitre.org (8.8.7/8.8.7) with ESMTP id LAA26228 > for <coley@linus.mitre.org>; Thu, 1 Jul 1999 11:49:32 -0400 (EDT) >Received: from hqbmdofs03.bmdo.osd.mil (root@localhost) > by hqbmdofs03.bmdo.osd.mil with ESMTP id JAA02331 > for <coley@linus.mitre.org>; Thu, 1 Jul 1999 09:33:05 -0400 (EDT) >Received: from hqbmdofs01.bmdo.osd.mil (hqbmdofs01.bmdo.osd.mil [172.20.1.1]) > by hqbmdofs03.bmdo.osd.mil with ESMTP id JAA02327 > for <coley@linus.mitre.org>; Thu, 1 Jul 1999 09:33:05 -0400 (EDT) >Received: by HQBMDOFS01 with Internet Mail Service (5.5.2448.0) > id <N4S6V5G7>; Thu, 1 Jul 1999 09:36:25 -0400 >Message-ID: <A0CCBD88DC7ED1118BBD00005A4441D403C1AFF4@HQBMDOFS01> >From: "Northcutt, Stephen, CIV, BMDO/DSC" <Stephen.Northcutt@bmdo.osd.mil> >To: "'Steven M. Christey'" <coley@linus.mitre.org> >Subject: RE: Survey: Use of Same Attack/Same Codebase content decision in > VDB's >Date: Thu, 1 Jul 1999 09:36:24 -0400 >MIME-Version: 1.0 >X-Mailer: Internet Mail Service (5.5.2448.0) >Content-Type: text/plain; > charset="iso-8859-1" > ><I'd prefer to delay deciding on the Same Attack/Same Codebase ><decisions until I hear from an IDS person. > >Actually, I have done a little intrusion detection system development. > >>From a pragmatic IDS perspective you are keying on three things, source >information, dest information, signature information. > >CVE would be concerned with the latter. Most IDSes are very primitive >and rely on exact signature matches. However, at the price of false >positives they often match on substrings. Can two completely different >attacks have the same signature? Certainly. Can we track a codebase >by its network footprint? Sometimes. > > >Vulnerabilities are the gateways by which exploits are made manifest. >A network based IDS can't (usually) detect the vulnerability, it detects >the signature of the exploit in transit. Now lets bring it home. > >Because the signature matching is so poor on most intrusion detection >systems, if you are going to be sensitive to IDSes, you probably need >to individually enumerate the vulnerabities since they will often have >a different signature. You do NOT want to give IDSes a reason to do >partial matches! For instance two commercial systems alert on phf? instead >of phf? and cat (as in cat /etc/passwd). That causes a lot of false >positives and gets the filter turned off in short order. > >If you find this helpful, feel free to share with the group. S. >
|
||||
