IDS mailing list archives
Obfuscated web pages
From: Gary Flynn <flynngn () jmu edu>
Date: Thu, 14 Feb 2008 13:44:45 -0500
Are any current network based IDS/P systems able to unwind obfuscated web script to examine the final javascript product? It would seem they would have to have a javascript engine to do so and issues with reassembly, iterations, and delays would preclude them from doing it inline. Without this capability, it would seem that network based IDS/IPS is destined to digress to AV style malware signatures for malicious web server issues and that the only reliable place to do IDS/P would be on the host. We've been seeing more and more obfuscated web script and according to a recently released IBM report, the majority of exploits are taking this path. http://www.iss.net/x-force_report_images/2008/index.html Thoughts? -- Gary Flynn Security Engineer James Madison University www.jmu.edu/computing/security
Attachment:
smime.p7s
Description: S/MIME Cryptographic Signature
Current thread:
- Obfuscated web pages Gary Flynn (Feb 14)
- Re: Obfuscated web pages Tim (Feb 14)
- Re: Obfuscated web pages Gary Flynn (Feb 14)
- Re: Obfuscated web pages Jon Oberheide (Feb 15)
- Re: Obfuscated web pages Dustin D. Trammell (Feb 15)
- Re: Obfuscated web pages Gary Flynn (Feb 14)
- Re: Obfuscated web pages Kowsik (Feb 14)
- RE: Obfuscated web pages Libershal, David M. (Feb 14)
- Re: Obfuscated web pages Gary Flynn (Feb 14)
- Re: Obfuscated web pages Stefano Zanero (Feb 19)
- Re: Obfuscated web pages Gary Flynn (Feb 14)
- Re: Obfuscated web pages Arian J. Evans (Feb 14)
- Re: Obfuscated web pages Mike Lococo (Feb 14)
(Thread continues...)
- Re: Obfuscated web pages Tim (Feb 14)