IDS mailing list archives
RE: Obfuscated web pages
From: "Libershal, David M." <Dave.Libershal () jhuapl edu>
Date: Thu, 14 Feb 2008 15:13:19 -0500
The TippingPoint IPS has 8 filters that deal with obfuscated code - 4 for http packets and 2 for SMTP traffic. David Libershal Network Security Engineer Enterprise Telecommunications Group Johns Hopkins University Applied Physics Laboratory 11100 Johns Hopkins Rd Laurel, MD 20723-6099 443-778-7196 (office) 443-778-5727 (FAX) -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Gary Flynn Sent: Thursday, February 14, 2008 1:45 PM To: focus-ids () securityfocus com Subject: Obfuscated web pages Are any current network based IDS/P systems able to unwind obfuscated web script to examine the final javascript product? It would seem they would have to have a javascript engine to do so and issues with reassembly, iterations, and delays would preclude them from doing it inline. Without this capability, it would seem that network based IDS/IPS is destined to digress to AV style malware signatures for malicious web server issues and that the only reliable place to do IDS/P would be on the host. We've been seeing more and more obfuscated web script and according to a recently released IBM report, the majority of exploits are taking this path. http://www.iss.net/x-force_report_images/2008/index.html Thoughts? -- Gary Flynn Security Engineer James Madison University www.jmu.edu/computing/security
Attachment:
smime.p7s
Description:
Current thread:
- Obfuscated web pages Gary Flynn (Feb 14)
- Re: Obfuscated web pages Tim (Feb 14)
- Re: Obfuscated web pages Gary Flynn (Feb 14)
- Re: Obfuscated web pages Jon Oberheide (Feb 15)
- Re: Obfuscated web pages Dustin D. Trammell (Feb 15)
- Re: Obfuscated web pages Gary Flynn (Feb 14)
- Re: Obfuscated web pages Kowsik (Feb 14)
- RE: Obfuscated web pages Libershal, David M. (Feb 14)
- Re: Obfuscated web pages Gary Flynn (Feb 14)
- Re: Obfuscated web pages Stefano Zanero (Feb 19)
- Re: Obfuscated web pages Gary Flynn (Feb 14)
- Re: Obfuscated web pages Arian J. Evans (Feb 14)
- Re: Obfuscated web pages Mike Lococo (Feb 14)
- RE: Obfuscated web pages Mike Barkett (Feb 15)
- Re: Obfuscated web pages Ivan Arce (Feb 21)
- RE: Obfuscated web pages Mike Barkett (Feb 25)
- Re: Obfuscated web pages Ivan Arce (Feb 29)
- RE: Obfuscated web pages Mike Barkett (Feb 15)
- Re: Obfuscated web pages Tim (Feb 14)