IDS mailing list archives
Re: Obfuscated web pages
From: "Jamie Riden" <jamie.riden () gmail com>
Date: Thu, 14 Feb 2008 21:22:47 +0000
On 14/02/2008, Gary Flynn <flynngn () jmu edu> wrote:
Are any current network based IDS/P systems able to unwind obfuscated web script to examine the final javascript product? It would seem they would have to have a javascript engine to do so and issues with reassembly, iterations, and delays would preclude them from doing it inline.
This is a real issue these days - just try out metasploit v.3's web-based attacks against snort and see how many you can detect. I don't know of any sensible way to do this in IDS - you can crawl URLs with honeypots such as CaptureHPC ( https://www.client-honeynet.org/capture.html ) to see if they are actually malicious. However scaling this up to check all the URLs that have been visited by your users is not a simple task. cheers, Jamie -- Jamie Riden / jamesr () europe com / jamie () honeynet org uk UK Honeynet Project: http://www.ukhoneynet.org/ ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
Current thread:
- Re: Obfuscated web pages, (continued)
- Re: Obfuscated web pages Kowsik (Feb 14)
- RE: Obfuscated web pages Libershal, David M. (Feb 14)
- Re: Obfuscated web pages Gary Flynn (Feb 14)
- Re: Obfuscated web pages Stefano Zanero (Feb 19)
- Re: Obfuscated web pages Gary Flynn (Feb 14)
- Re: Obfuscated web pages Arian J. Evans (Feb 14)
- Re: Obfuscated web pages Mike Lococo (Feb 14)
- RE: Obfuscated web pages Mike Barkett (Feb 15)
- Re: Obfuscated web pages Ivan Arce (Feb 21)
- RE: Obfuscated web pages Mike Barkett (Feb 25)
- Re: Obfuscated web pages Ivan Arce (Feb 29)
- RE: Obfuscated web pages Mike Barkett (Feb 15)
- Re: Obfuscated web pages Arian J. Evans (Feb 15)
- RE: Obfuscated web pages Mike Barkett (Feb 15)
- Re: Obfuscated web pages Ivan Arce (Feb 21)
- Re: Obfuscated web pages Dustin D. Trammell (Feb 21)