NIS Signature Types (or why some signatures are disabled by default)

NIS Signature set released last month (8.32) contained 4 signatures that were disabled by default:

• Plcy:Win/Sharepoint.SafeHTML1.XSS!2010-3243
• Plcy:Win/Sharepoint.SafeHTML2.XSS!2010-3243
• Plcy:Win/HTTP.SafeHTML1.XSS!2010-3324
• Plcy:Win/HTTP.SafeHTML2.XSS!2010-3324

We’ve received a number of questions about why these signatures were off by default and thought it may be worthwhile to write about the NIS signature types again.

As explained in the NIS in TMG whitepaper, there are three different NIS signature types:

1. Vulnerability-based : These signatures will detect most variants of exploits against a given vulnerability.

2. Exploit -based: These signatures will detect a specific exploit of a given vulnerability.

3. Policy-based: These signatures that are generally used for auditing purposes and are developed when neither vulnerability nor an exploit-based signature can be written.

Whenever possible, we write vulnerability based or exploit based signatures. These are accurate signatures which have a very low rate of false positives or false negatives.

However, in some cases we aren’t able to write a vulnerability/exploit signature so we write a policy based signature. These are less accurate and can cause some false alarms so it is up to the administrator to make a conscious decision to enable them despite the risk of false positives.

This is why we make policy based signatures available in a “disabled by default” mode.

Author:

Ori Yosefi, Senior Program Manager, Forefront TMG

Reviewer:

Dror Zelber, Senior Program Manager Lead, Forefront TMG