IDS mailing list archives

Re: Obfuscated web pages

From: Kowsik <kowsik () gmail com>
Date: Thu, 14 Feb 2008 11:57:30 -0800

Signature-based ID/PS have little hope of catching these. Parsing HTTP
responses (without javascript) is first of all pretty expensive,
especially given chunked/transfer/content/mime encodings. On top of
that parsing javascript is pretty much going to make the ID/PS
performance go to hell.

Could be wrong, but I highly doubt that anyone is actually doing a
full HTML/Javascript parsing to determine that the impact is. You will
need to embed a full DOM parser and a Javascript engine (like spider
monkey) to make sense of what the code is trying to do. They you need
to take into account IE/Firefox/Opera/Safari/etc idiosyncrasies.
*sigh*

The network would be the wrong place to try and defend against these, IMHO.

K.

On Thu, Feb 14, 2008 at 10:44 AM, Gary Flynn <flynngn () jmu edu> wrote:


 Are any current network based IDS/P systems able to unwind
 obfuscated web script to examine the final javascript product?
 It would seem they would have to have a javascript engine to
 do so and issues with reassembly, iterations, and delays
 would preclude them from doing it inline.

 Without this capability, it would seem that network based
 IDS/IPS is destined to digress to AV style malware
 signatures for malicious web server issues and that the only
 reliable place to do IDS/P would be on the host.

 We've been seeing more and more obfuscated web script and
 according to a recently released IBM report, the majority
 of exploits are taking this path.

 http://www.iss.net/x-force_report_images/2008/index.html

 Thoughts?

 --
 Gary Flynn
 Security Engineer
 James Madison University
 www.jmu.edu/computing/security


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------

Current thread:

Obfuscated web pages Gary Flynn (Feb 14)
- Re: Obfuscated web pages Tim (Feb 14)
  - Re: Obfuscated web pages Gary Flynn (Feb 14)
    - Re: Obfuscated web pages Jon Oberheide (Feb 15)
    - Re: Obfuscated web pages Dustin D. Trammell (Feb 15)
- Re: Obfuscated web pages Kowsik (Feb 14)
- RE: Obfuscated web pages Libershal, David M. (Feb 14)
  - Re: Obfuscated web pages Gary Flynn (Feb 14)
    - Re: Obfuscated web pages Stefano Zanero (Feb 19)
- Re: Obfuscated web pages Arian J. Evans (Feb 14)
- Re: Obfuscated web pages Mike Lococo (Feb 14)
  - RE: Obfuscated web pages Mike Barkett (Feb 15)
    - Re: Obfuscated web pages Ivan Arce (Feb 21)
    - RE: Obfuscated web pages Mike Barkett (Feb 25)
    - Re: Obfuscated web pages Ivan Arce (Feb 29)
- Re: Obfuscated web pages Jamie Riden (Feb 14)

(Thread continues...)