ips signatures

Unanswered Question
Oct 30th, 2007

According to CISCO doc, the signatures can be classified as exploit, connection and string-based.

Are the exploit signatures based on known vulnerabilities or exploit pattern, or both?

After tuning alerts on the relevant contexts, would manually matching the patterns in payload and signature provide more confidence with positives?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
mhellman Wed, 10/31/2007 - 06:23

To which Cisco doc are you referring? Those classifications seem a bit nonsensical. It is not uncommon to see discussions around signatures that detect a specific exploit versus the vulnerability. In either case though, with signature based technology you are using patterns. Some are designed to detect a specific exploit of a vulnerability while others might detect any exploit of a vulnerability.

Actions

This Discussion