Tuesday, March 4, 2008

IPS Signature development - Tips

IPS/IDS signature development is a complicated process. You don't have information at one place to gather and analyze before developing a signatures for detecting intrusion attempts. Challenges are:

  • Non availability of right information at one place.
  • Getting exploit scripts is not easy.
  • Not having access to vulnerable application to verify the signature.

Some of the sites which I used to visit and guidelines I followed while developing signatures for IDS/IPS subsystems:
  • Subscribe for Vulnerability notifications
    • Many organizations provide this information such as CERT.
  • Knowing more technical information about vulnerability information
  • Monitor bleeding threats signatures for snort. ( I think now it is called as Emerging threats)
  • Yet times, you may need to glee information from several resources.
  • Yet times, assembly analysis of vulnerable code is needed to write signatures which produces less falses.
  • Another very valuable source I find is SANS daily blog.
  • If exploit is available, understand the vulnerability by going through the code
  • Develop signature targeting the vulnerability.
  • For XSS injection attacks, I used to monitor sites such as
  • SQL Injection attacks: I used monitor following sites for changes
  • For P2P/IM application detection:
    • Run the application, capture traffic and figure out the pattern.
    • If application is available in source code from in public domain, try understanding the protocol at some details and figure out the patterns.
  • Using above, develop signatures.
    • Understand the protocol.
    • You need to have complete understanding of IPS device capabilities with respect to rule language.
    • Ofcourse, you need to understand vulnerability based on above information.
    • You need to have good understanding of regular expressions.
  • Testing signatures:
    • Note that it is not possible to have all kinds of application packages for any IPS vendor to test the signatures.
    • If exploit is available, develop simulation script and ensure that IPS/IDS between detects and stops the attack.
    • If exploit is not available, develop simulation scripts based on information available and test the signatures.
    • Use third party penetration tools to verify signature quality periodically.
As such there is no fixed methodology, but hopefully above guidelines are useful to jump start yourself.

No comments: