I just found an email thread about this exact subject back in May of 05. http://archives.neohapsis.com/archives/sf/ids/2005-q2/
Joel 2009/3/13 tanyoo10 <[email protected]> > > Greetings to everyone. > > I have some questions about exploit-based and vulnerability-based signature > of IDS. > > I heard that exploit-based signature is dead (useless), since > vulnerability-based signatures are more effective than exploit-based > signatures in that they can detect unknown exploits if a vulnerability can be > utilized by many exploits. However, I don't agree with this argument, for the > following reasons: > (1) When a vulnerability is unknown, exploit-based might be a good solution. > (2) Exploit-based signatures are still irrepetable for early defense of > zero-day worms or zero-day exploits, since exploit-based signatures can be > generated more timely. > (3) In the perfect world, we need to generate both types of signatures (even > finally we only use vulnerability-based signature in detection). That way we > not only know we were attacked, but we know with what type of exploit; or > that it's a new unknown variant of an exploit. That's useful information in > and of itself. > > To support the above viewpoints, I have some concrete questions needed > to be answered: > (1) Were there some attacks that have exploit-based signature but have not > vulnerability-based signature? Can someone give me some exmples? > (2) Were there some examples to show that exploit-based signatures were > generated much quickly and timely than the generation of vulnerability-based > signatures for the historical worms or attacks ? > (3) Does current IDS (e.g. Snort) use both signature types of exploit-based > and vulnerability? If so, what percentage of sigantures are exploit-based? > > > Thanks for you any input of discussing "exploit-based vs. vulnerability-based > signature" ! > > > >
