IPS Signature development - Tips

IPS/IDS signature development is a complicated process. You don't have information at one place to gather and analyze before developing a signatures for detecting intrusion attempts. Challenges are:

• Non availability of right information at one place.
• Getting exploit scripts is not easy.
  
• Not having access to vulnerable application to verify the signature.

Some of the sites which I used to visit and guidelines I followed while developing signatures for IDS/IPS subsystems:

• Subscribe for Vulnerability notifications
• Many organizations provide this information such as CERT.
• Knowing more technical information about vulnerability information
• Check for exploit scripts
  
• visit sites such as milw0rm and secwatch
  
• Check vulnerability database in securityfocus
  
• Monitor mailing lists such as bugtraq and full-disclosure
• Monitor bleeding threats signatures for snort. ( I think now it is called as Emerging threats)
• Yet times, you may need to glee information from several resources.
  
• Yet times, assembly analysis of vulnerable code is needed to write signatures which produces less falses.
  
• Another very valuable source I find is SANS daily blog.
  
• If exploit is available, understand the vulnerability by going through the code
• Develop signature targeting the vulnerability.
• For XSS injection attacks, I used to monitor sites such as
• XSSDB at gnucitizen.org
• XSS Cheat sheet at http://www.gnucitizen.org/xssdb/
• XSS incident database.
• SQL Injection attacks: I used monitor following sites for changes
  
• SQL injection cheat sheet
• SQL injection incident database at web application security consortium.
• For P2P/IM application detection:
• Run the application, capture traffic and figure out the pattern.
• If application is available in source code from in public domain, try understanding the protocol at some details and figure out the patterns.
• Using above, develop signatures.
• Understand the protocol.
• You need to have complete understanding of IPS device capabilities with respect to rule language.
  
• Ofcourse, you need to understand vulnerability based on above information.
• You need to have good understanding of regular expressions.
  
• Testing signatures:
• Note that it is not possible to have all kinds of application packages for any IPS vendor to test the signatures.
  
• If exploit is available, develop simulation script and ensure that IPS/IDS between detects and stops the attack.
• If exploit is not available, develop simulation scripts based on information available and test the signatures.
  
• Use third party penetration tools to verify signature quality periodically.
  

As such there is no fixed methodology, but hopefully above guidelines are useful to jump start yourself.