well what abhicc might have meant is to, have a proper protocol parser/rule, which will decode the data on the wire correctly and specifically to a protocol. And using this decide whether a vulnerability/exploit exists. And not directly checking for Vulnerability in the data on the wire stream. All data has to be seen in context with the protocol its coming for. Same sequence of bytes have diff meanings for different protocols/versions.
Regarding Exploit vs Vuln Argument. Well going with the vulnerability is always a better option. Being exploit specific means, that whenever someone smart out there comes up with a sequence of code different enough, the IDS/IPS gets bypassed. And devs have to scram to cover this new one. Having exploit specific signatures also means having more signatures on the box, whereas all these exploits might be using a common vector, and if the signature/rule was vulnerability specific, only 1 signature could have stopped all the exploits. Just depends how much work the DEV/QA team wanna put in :-) And i agree with Hirosh, better to do take time and do it once and do it right, than modify it everytime a new version of the exploit comes out. ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
