NIS Signature Types (or why some signatures are disabled by default)

NIS Signature Types (or why some signatures are disabled by default)

  • Comments 4
  • Likes

NIS Signature set released last month (8.32) contained 4 signatures that were disabled by default:

We’ve received a number of questions about why these signatures were off by default and thought it may be worthwhile to write about the NIS signature types again.

As explained in the NIS in TMG whitepaper, there are three different NIS signature types:

1. Vulnerability-based: These signatures will detect most variants of exploits against a given vulnerability.

2. Exploit-based: These signatures will detect a specific exploit of a given vulnerability.

3. Policy-based: These signatures that are generally used for auditing purposes and are developed when neither vulnerability nor an exploit-based signature can be written.

Whenever possible, we write vulnerability based or exploit based signatures. These are accurate signatures which have a very low rate of false positives or false negatives.

However, in some cases we aren’t able to write a vulnerability/exploit signature so we write a policy based signature. These are less accurate and can cause some false alarms so it is up to the administrator to make a conscious decision to enable them despite the risk of false positives.

This is why we make policy based signatures available in a “disabled by default” mode.

 

Author:

Ori Yosefi, Senior Program Manager, Forefront TMG

 

Reviewer:

Dror Zelber, Senior Program Manager Lead, Forefront TMG

Comments
  • I really appreciate your post and you explain each and every point very well.Thanks for sharing this information.And I’ll love to read your next post too.

    <a href="

    www.wheelchairindia.com/Category.aspx" title="Disability Products"_">Disability Products</a>

  • I really appreciate your post and you explain each and every point very well.Thanks for sharing this information.And I’ll love to read your next post too.

    <a href="

    www.wheelchairindia.com/Category.aspx" title="Disability Products"_">Disability Products</a>

  • you already have generic XSS signature which can prevent the exploitation for 2010-3324 so why there is another signature for this vulnerability ?

  • you already have generic XSS signature www.microsoft.com/.../NIS.aspx which can prevent the exploitation for 2010-3243 so why there is another signature for this vulnerability ?

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment