Re: Javascript long string detection

["Ravi Chunduru" <ravi.is.chunduru () gmail com>]

Right.  If traffic does not go through IPS, it has no way of detecting
exploits. Some companies allow phone traffic to go through its network
for all kinds of traffic with split tunnel mode OFF. In these cases
too, network IPS, when deployed at the right place can detect the
exploits.

thanks
Ravi


On Wed, Jun 11, 2008 at 11:21 AM, Ureleet <ureleet () gmail com> wrote:
> on the iphone?  how are you going to detect that using a network based ips?
>
> i mean, if the iphone is on wifi, but other than that...
>
> On Mon, Jun 9, 2008 at 11:56 PM, Ravi Chunduru
> <ravi.is.chunduru () gmail com> wrote:
> > This seems fine to me.  do you know the vulnerable version of Safari browser?
> >
> > Thanks
> > Ravi
> >
> > On Mon, Jun 9, 2008 at 7:17 PM, Srinivasa Addepalli <srao () intoto com> wrote:
> > > Hi Ravi,
> > >
> > > You are right that many IDS/IPS systems don't have java script analyzers.
> > > Even the systems that have these analyzers will also have problems in
> > > detecting these kinds of attacks.
> > >
> > > One simple way is to create a signature which checks version string in
> > > User-Agent field  and javascript in response html data. If user agent
> > > version indicates vulnerable software edition and javascript is seen, this
> > > signature flags the administrator. Since javascript is not analyzed, there
> > > could be false positives; but at the minimum, it provides logs and alerts to
> > > administrator to take further action.
> > >
> > > Srini
> > >
> > >
> > > -----Original Message-----
> > > From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
> > > Behalf Of Ravi Chunduru
> > > Sent: Saturday, June 07, 2008 1:55 PM
> > > To: Focus IDS
> > > Subject: Javascript long string detection
> > >
> > > Hi,
> > >
> > > I have come across this vulnerability
> > >
> > > http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-0729
> > >
> > > and corresponding Exploit at
> > >
> > > http://www.milw0rm.org/exploits/5268
> > >
> > > There are so many ways to create a long string in Javascript.  How do
> > > Network based IDS/IPS can detect these kinds of attacks?  Is it
> > > possible to create signatures to detect these attacks?   Many existing
> > > IDS/IPS devices don't have capabilities to interpret and evaluate
> > > javascripts. So, I would think that it is nearly impossible.  Any
> > > insight?
> > >
> > > Thanks
> > > Ravi
> > >
> > > ------------------------------------------------------------------------
> > > Test Your IDS
> > >
> > > Is your IDS deployed correctly?
> > > Find out quickly and easily by testing it
> > > with real-world attacks from CORE IMPACT.
> > > Go to
> > > http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=in
> > > tro_sfw
> > > to learn more.
> > > ------------------------------------------------------------------------
> >
> > ------------------------------------------------------------------------
> > Test Your IDS
> >
> > Is your IDS deployed correctly?
> > Find out quickly and easily by testing it
> > with real-world attacks from CORE IMPACT.
> > Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
> > to learn more.
> > ------------------------------------------------------------------------

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------