IDS mailing list archives
Re: Obfuscated web pages
From: "Dustin D. Trammell" <dtrammell () bpointsys com>
Date: Thu, 14 Feb 2008 17:26:44 -0600
On Thu, 2008-02-14 at 16:17 -0500, Gary Flynn wrote:
Tim wrote:The specific issue of JavaScript obfuscation drives this point home quite well. IMO, it is unlikely that any IDS engine could implement the beast that is ECMAScript and all of it's children and still be safe while reliably detecting attacks. It approaches issues similar to the halting problem.I suspect that no vendors support this feature ( actual code execution in some sort of sandbox ) and I was just trying to verify it.
Also on Thu, 2008-02-14 at 16:05 -0500, Gary Flynn wrote:
Libershal, David M. wrote:The TippingPoint IPS has 8 filters that deal with obfuscated code - 4 for http packets and 2 for SMTP traffic.I've seen signatures in other products that detect standard encodings of things like shellcode. Is this what it is doing?
Oddly enough, I just published a paper on shellcode encoding for evading network security/monitoring systems that cites two different projects that attempt to do this type of thing for shellcode in real-time in a sandbox environment, however they both were not ID/PS systems: http://www.uninformed.org/?v=9&a=3&t=sumry -- Dustin D. Trammell Security Researcher BreakingPoint Systems, Inc.
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- Obfuscated web pages Gary Flynn (Feb 14)
- Re: Obfuscated web pages Tim (Feb 14)
- Re: Obfuscated web pages Gary Flynn (Feb 14)
- Re: Obfuscated web pages Jon Oberheide (Feb 15)
- Re: Obfuscated web pages Dustin D. Trammell (Feb 15)
- Re: Obfuscated web pages Gary Flynn (Feb 14)
- Re: Obfuscated web pages Kowsik (Feb 14)
- RE: Obfuscated web pages Libershal, David M. (Feb 14)
- Re: Obfuscated web pages Gary Flynn (Feb 14)
- Re: Obfuscated web pages Stefano Zanero (Feb 19)
- Re: Obfuscated web pages Gary Flynn (Feb 14)
- Re: Obfuscated web pages Arian J. Evans (Feb 14)
- Re: Obfuscated web pages Mike Lococo (Feb 14)
- RE: Obfuscated web pages Mike Barkett (Feb 15)
- Re: Obfuscated web pages Ivan Arce (Feb 21)
- RE: Obfuscated web pages Mike Barkett (Feb 25)
- Re: Obfuscated web pages Ivan Arce (Feb 29)
- RE: Obfuscated web pages Mike Barkett (Feb 15)
- Re: Obfuscated web pages Tim (Feb 14)