Re: Re: how to avoid false positive in generic cross site scripting attack ids signature

["Abhishek Bhuyan" <abhuyan () gmail com>]

How about UTF-7 XSS attack?
False positive will be there, you need to reduce it as much as
possible. But just checking for javascript: is not a good idea.
Keeping an eye on no. of occurrence of particular patterns might help.


On 6 Feb 2007 11:44:45 -0000, rathnach () gmail com <rathnach () gmail com> wrote:
> 1st is, whether executing javascript on clients browser context in http req. is permissible.
>
> >>>>>> we don't have any control to implement policy to restrict developers using such feature.
>
>  2nd as yahoo is one of the most visted sit, how can avoid cjances of false postive, and is there any way to harden 
> this signature.
> >>>>>>IDS detection is most effective only when it is configured properly and signatures are specific to attack.
>
> Generic signatures are only good to identify unknown attacks,Provided you have good logging capability. but problem is 
> false positives.
> My would suggest is to find some vulnerable file path + XXS pattern to be more effective.
>
> ------------------------------------------------------------------------
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it
> with real-world attacks from CORE IMPACT.
> Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
> to learn more.
> ------------------------------------------------------------------------

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------