Greetings to everyone.

  I have some questions about exploit-based and vulnerability-based signature 
of IDS.

  I heard that exploit-based signature is dead (useless), since 
vulnerability-based signatures are more effective than exploit-based signatures 
in that they can detect unknown exploits if a vulnerability can be utilized by 
many exploits. However, I don't agree with this argument, for the following 
reasons: 
(1) When a vulnerability is unknown, exploit-based might be a good solution. 
(2) Exploit-based signatures are still irrepetable for early defense of 
zero-day worms or zero-day exploits, since exploit-based signatures can be 
generated more timely. 
(3) In the perfect world, we need to generate both types of signatures (even 
finally we only use vulnerability-based signature in detection). That way we 
not only know we were attacked, but we know with what type of exploit; or that 
it's a new unknown variant of an exploit. That's useful information in and of 
itself. 

        To support the above viewpoints, I have some concrete questions needed 
to be answered: 
(1) Were there some attacks that have exploit-based signature but have not 
vulnerability-based signature? Can someone give me some exmples? 
(2) Were there some examples to show that exploit-based signatures were 
generated much quickly and timely than the generation of vulnerability-based 
signatures for the historical worms or attacks ? 
(3) Does current IDS (e.g. Snort) use both signature types of exploit-based and 
vulnerability? If so, what percentage of sigantures are exploit-based? 
     
 
Thanks for you any input of discussing "exploit-based vs. vulnerability-based 
signature" ! 




Reply via email to