IDS mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Obfuscated web pages

From: "Jamie Riden" <jamie.riden () gmail com>
Date: Thu, 14 Feb 2008 21:22:47 +0000
On 14/02/2008, Gary Flynn <flynngn () jmu edu> wrote:


 Are any current network based IDS/P systems able to unwind
 obfuscated web script to examine the final javascript product?
 It would seem they would have to have a javascript engine to
 do so and issues with reassembly, iterations, and delays
 would preclude them from doing it inline.


This is a real issue these days - just try out metasploit v.3's
web-based attacks against snort and see how many you can detect.

I don't know of any sensible way to do this in IDS - you can crawl
URLs with honeypots such as CaptureHPC (
https://www.client-honeynet.org/capture.html ) to see if they are
actually malicious. However scaling this up to check all the URLs that
have been visited by your users is not a simple task.

cheers,
 Jamie
-- 
Jamie Riden / jamesr () europe com / jamie () honeynet org uk
UK Honeynet Project: http://www.ukhoneynet.org/

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: