IDS mailing list archives
Re: Re: how to avoid false positive in generic cross site scripting attack ids signature
From: "Abhishek Bhuyan" <abhuyan () gmail com>
Date: Sun, 11 Feb 2007 15:37:07 +0530
How about UTF-7 XSS attack? False positive will be there, you need to reduce it as much as possible. But just checking for javascript: is not a good idea. Keeping an eye on no. of occurrence of particular patterns might help. On 6 Feb 2007 11:44:45 -0000, rathnach () gmail com <rathnach () gmail com> wrote:
1st is, whether executing javascript on clients browser context in http req. is permissible. >>>>>> we don't have any control to implement policy to restrict developers using such feature. 2nd as yahoo is one of the most visted sit, how can avoid cjances of false postive, and is there any way to harden this signature. >>>>>>IDS detection is most effective only when it is configured properly and signatures are specific to attack. Generic signatures are only good to identify unknown attacks,Provided you have good logging capability. but problem is false positives. My would suggest is to find some vulnerable file path + XXS pattern to be more effective. ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly?Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more.
------------------------------------------------------------------------
Current thread:
- how to avoid false positive in generic cross site scripting attack ids signature singhamit4me (Feb 01)
- Re: how to avoid false positive in generic cross site scripting attack ids signature Sanjay R (Feb 02)
- <Possible follow-ups>
- Re: Re: how to avoid false positive in generic cross site scripting attack ids signature rathnach (Feb 08)
- Re: Re: how to avoid false positive in generic cross site scripting attack ids signature Abhishek Bhuyan (Feb 12)