Re: Obfuscated web pages

[holly.stewart () us ibm com]

Hi, I work for IBM Internet Security Systems and was involved in the creation of the 2007 trend report.  I agree that 
the host is the place where you need to solve this problem.  De-obfuscating traffic as a network device certainly would 
have performance issues.  Someone had asked if the Proventia line had something to address this issue, so I thought I'd 
clear that up.  Our IPS products do have a handful of signatures that look for Javascript obfuscation 
(JavaScript_Unescape_Regex, JavaScript_Large_Unescape, JavaScript_Unescape_Obfuscation).

Also, I'd like to apologize for that marketing slick that touts our IPS as being a solution for Phishing.  Although 
there are ways you can get an IPS to address some issues related to phishing and spam, it is obviously not designed to 
be a wholesale solution for that kind of problem.... that's why we have a market for content (email/web) products!  I 
actually had a meeting a few weeks ago with the marketing folks to have that removed, so having someone make fun of it 
on this list is pretty timely. :)
 
-Holly

Holly Stewart
Product Manager, X-Force and XFTAS
IBM Internet Security Systems
Atlanta, GA

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------