Snort
Sourcefire Vulnerability Research Team (VRT)
Security for the Real World.
Ta b l e o f C o n t e n t s
The Current IPS Landscape Verifiable Protection: the Sourcefire VRT and the SNORT® Why Signatures and Exploit-based Detection Offer Little Value Why Rules and Vulnerability-based Protection Provide Actual Value The Sourcefire VRT Rule Methodology
Researching the Vulnerability Modeling the Protocol
Protocol Identifiers Communication States Packet Structure and Fields Modeling the Protocol: Summary
3 3 4 5 5
5 6
6 7 7 7
Identifying the Triggering Conditions Testing and Verifying the Assumptions
7 8
Sourcefire VRT Rule Methodology: Putting it All Together – a Simple Example
Protocol Model
Protocol Identification State of Communication Relevant Fields
9
9
9 9 10
Triggering Conditions
10
Impact and Context: Sourcefire Real-Time Network Awareness (RNA) Vulnerability-based Protection Ahead of the Threat: Real World Examples Summary
10 11 11 12
Sourcefire Vulnerability Research Team - 2
Discover. Determine. Defend.
The Current IPS Landscape
Intrusion prevention system (IPS) vendors often promote how many threats they detect and how quickly they release detection capabilities for new threats. Many organizations blindly assume that these claims are accurate, but without evidence to substantiate them, this faith is misplaced.
Unverifiable Protection: If you had a headache, would you purchase a “headache elixir” sold from a roadside stand? Or would you buy Tylenol, Advil, or another FDA-approved headache medication at the drugstore? Most IPS vendors make tenuous protection claims that are untested and unverifiable. Partial Protection: Would you purchase a car alarm that stopped thieves from breaking into your driver’s side window, but didn’t protect the passenger’s side? Most IPS vendors similarly claim “protection” against vulnerabilities when they only cover a single specific avenue