[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Survey: Use of Same Attack/Same Codebase content decision in VDB's

The following comments are from Steve Northcutt.

>From Stephen.Northcutt@bmdo.osd.mil  Thu Jul  1 11:49:33 1999
>Return-Path: <Stephen.Northcutt@bmdo.osd.mil>
>Received: from hqbmdofs03.bmdo.osd.mil (firewall.bmdo.osd.mil [] (may be forged))
>	by linus.mitre.org (8.8.7/8.8.7) with ESMTP id LAA26228
>	for <coley@linus.mitre.org>; Thu, 1 Jul 1999 11:49:32 -0400 (EDT)
>Received: from hqbmdofs03.bmdo.osd.mil (root@localhost)
>	by hqbmdofs03.bmdo.osd.mil with ESMTP id JAA02331
>	for <coley@linus.mitre.org>; Thu, 1 Jul 1999 09:33:05 -0400 (EDT)
>Received: from hqbmdofs01.bmdo.osd.mil (hqbmdofs01.bmdo.osd.mil [])
>	by hqbmdofs03.bmdo.osd.mil with ESMTP id JAA02327
>	for <coley@linus.mitre.org>; Thu, 1 Jul 1999 09:33:05 -0400 (EDT)
>Received: by HQBMDOFS01 with Internet Mail Service (5.5.2448.0)
>	id <N4S6V5G7>; Thu, 1 Jul 1999 09:36:25 -0400
>Message-ID: <A0CCBD88DC7ED1118BBD00005A4441D403C1AFF4@HQBMDOFS01>
>From: "Northcutt, Stephen, CIV, BMDO/DSC" <Stephen.Northcutt@bmdo.osd.mil>
>To: "'Steven M. Christey'" <coley@linus.mitre.org>
>Subject: RE: Survey: Use of Same Attack/Same Codebase content decision in 
>	VDB's
>Date: Thu, 1 Jul 1999 09:36:24 -0400 
>MIME-Version: 1.0
>X-Mailer: Internet Mail Service (5.5.2448.0)
>Content-Type: text/plain;
>	charset="iso-8859-1"
><I'd prefer to delay deciding on the Same Attack/Same Codebase
><decisions until I hear from an IDS person.
>Actually, I have done a little intrusion detection system development.
>>From a pragmatic IDS perspective you are keying on three things, source
>information, dest information, signature information.  
>CVE would be concerned with the latter.  Most IDSes are very primitive
>and rely on exact signature matches. However, at the price of false
>positives they often match on substrings. Can two completely different
>attacks have the same signature?  Certainly.  Can we track a codebase
>by its network footprint?  Sometimes.  
>Vulnerabilities are the gateways by which exploits are made manifest.
>A network based IDS can't (usually) detect the vulnerability, it detects 
>the signature of the exploit in transit.  Now lets bring it home.
>Because the signature matching is so poor on most intrusion detection
>systems, if you are going to be sensitive to IDSes, you probably need
>to individually enumerate the vulnerabities since they will often have
>a different signature.  You do NOT want to give IDSes a reason to do
>partial matches!  For instance two commercial systems alert on phf? instead
>of phf? and cat (as in cat /etc/passwd).  That causes a lot of false
>positives and gets the filter turned off in short order.
>If you find this helpful, feel free to share with the group.  S.

Page Last Updated or Reviewed: May 22, 2007