IDS mailing list archives

Previous By Date Next
Previous By Thread Next

Re: ISS's IPS and Javascript interpreter

From: levinson_k () securityadmin info
Date: 5 Jan 2007 03:38:35 -0000
This is one drawback to IDS/IPS vendors like ISS that use closed source signatures: you're never entirely sure what 
their detection capabilities are, or how good.

But for the full answer, you should read the thread here from this week on IPS evasion, if you haven't already.  This 
kind of attack can probably be coded to evade pretty much any IDS or IPS.  Even something as simple as using HTTPS 
encryption, a different encoding method or insertion of meaningless ignored characters foils most NIDS/NIPS 
deployments.  

IMHO, the answer is that all network-based IDS/IPS are roughly equally customizable to be able to detect such attacks 
with your own signatures, and all NIDS/NIPS are roughly equally easy to conceal such attacks from, with a little effort 
and some known evasion techniques that are a decade old.  

I believe many of the current exploits today that use javascript to build the payload, commonly use a series of 
NOOP-like codes such as %u9090 to pad the code as needed.  You can easily add one or several custom signatures to 
detect today's javascripted attacks (for example, a sig looking for a string of five or so %u9090 codes transmitted 
across common HTTP ports like TCP 80, 8080, etc.).  

I find you get very few false positives with this kind of signature, compared to the traditional binary / hex encoded 
0x90 NOOP signatures most IDS/IPS products use today.  (You will however see some actual attacks that aren't 
"interesting," because they weren't successful and weren't intentionally directed specifically at your users.  And 
because there are many varieties of NOOP characters and ways of encoding / encrypting them, you can never be guaranteed 
of detecting all such future attacks.)

Such a signature could very well be safe to deploy with automatic IPS blocking in many environments.  In a sizable 
environment, you may very well see more alerts / attacks than you could possibly investigate by manual means.

kind regards,
Karl Levinson
http://securityadmin.info

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: