RE: Obfuscated web pages

["Libershal, David M." <Dave.Libershal () jhuapl edu>]

The TippingPoint IPS has 8 filters that deal with obfuscated code - 4 for
http packets and 2 for SMTP traffic.


David Libershal 
Network Security Engineer
Enterprise Telecommunications Group

Johns Hopkins University Applied Physics Laboratory
11100 Johns Hopkins Rd
Laurel, MD 20723-6099

443-778-7196 (office)
443-778-5727 (FAX)

 

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of Gary Flynn
Sent: Thursday, February 14, 2008 1:45 PM
To: focus-ids () securityfocus com
Subject: Obfuscated web pages


Are any current network based IDS/P systems able to unwind obfuscated web
script to examine the final javascript product?
It would seem they would have to have a javascript engine to do so and
issues with reassembly, iterations, and delays would preclude them from
doing it inline.

Without this capability, it would seem that network based IDS/IPS is
destined to digress to AV style malware signatures for malicious web server
issues and that the only reliable place to do IDS/P would be on the host.

We've been seeing more and more obfuscated web script and according to a
recently released IBM report, the majority of exploits are taking this path.

http://www.iss.net/x-force_report_images/2008/index.html

Thoughts?

--
Gary Flynn
Security Engineer
James Madison University
www.jmu.edu/computing/security

Attachment: smime.p7s
Description: