Sourcefire Vulnerability Research Team (VRT)
Security for the Real World.
Ta b l e o f C o n t e n t s
The Current IPS Landscape Verifiable Protection: the Sourcefire VRT and the SNORT® Why Signatures and Exploit-based Detection Offer Little Value Why Rules and Vulnerability-based Protection Provide Actual Value The Sourcefire VRT Rule MethodologyResearching the Vulnerability Modeling the Protocol
Protocol Identifiers Communication States Packet Structure and Fields Modeling the Protocol: Summary
3 3 4 5 5
6 7 7 7
Identifying the Triggering Conditions Testing and Verifying the Assumptions
Sourcefire VRT Rule Methodology: Putting it All Together – a Simple Example
Protocol Identification State ofCommunication Relevant Fields
9 9 10
Impact and Context: Sourcefire Real-Time Network Awareness (RNA) Vulnerability-based Protection Ahead of the Threat: Real World Examples Summary
10 11 11 12
Sourcefire Vulnerability Research Team - 2
Discover. Determine. Defend.
The Current IPS Landscape
Intrusion prevention system (IPS) vendors often promote howmany threats they detect and how quickly they release detection capabilities for new threats. Many organizations blindly assume that these claims are accurate, but without evidence to substantiate them, this faith is misplaced.
Unverifiable Protection: If you had a headache, would you purchase a “headache elixir” sold from a roadside stand? Or would you buy Tylenol, Advil, or anotherFDA-approved headache medication at the drugstore? Most IPS vendors make tenuous protection claims that are untested and unverifiable. Partial Protection: Would you purchase a car alarm that stopped thieves from breaking into your driver’s side window, but didn’t protect the passenger’s side? Most IPS vendors similarly claim “protection” against vulnerabilities when they only cover a single specific avenueof attack. Protection After the Threat: If your child had a good chance of catching a dangerous but preventable disease, would you wait for your child’s friends to get the disease before taking action? Or would you vaccinate the child now, before the threat occurred? Most IPS vendors provide protection against exploits only after these attacks are already publicly known and organizations havealready been attacked by them. Unreliable Protection: If the fire alarm system in your building sounded every few days, alerting the fire department and triggering the sprinkler system even though there was no fire, would you keep it in place? What if the system missed a real fire? Most IPS vendors use signatures that do not adequately cover the triggering conditions of a vulnerability – and thereforeproduce false positives and false negatives.
As attackers become more advanced, IPS vendors need to provide protection that verifiably defends against:
all possible attacks before particular methods of attack are known without creating false positives or false negatives
Enter the Sourcefire Vulnerability Research Team (VRT), a dedicated research group chartered to deliver this level ofprotection. The VRT provides the rulesets that power the Sourcefire 3D System, employing a vulnerability-based methodology to meet the demands necessary for the most advanced IPS deployments.
Ve r i f i a b l e P r o t e c t i o n : t h e S o u r c e f i r e V R T a n d t h e S N O R T ® Rules Language
Many IPS vendors boast about how quick they are to respond to the release of vulnerabilities - forinstance, after the monthly “Microsoft Tuesday,” when Microsoft announces many vulnerabilities and releases patches to end users. Because most IPS vendors’ signatures are closed, it is impossible for customers to verify what they are actually being protected against. In many cases, IPS vendors claim protection for vulnerabilities that they do not in fact cover at all, or any use (legitimate or...