Re: Obfuscated web pages

["Arian J. Evans" <arian.evans () anachronic com>]

I haven't seen any IDS/IPS that do this competently.

ISS's "Proventia" or whatever their new all-in-wonder IPS box is
claims to do this, but then it also lists as a feature that it can
prevent "phishing" so my expectations are rather low.

We have someone deploying it inline for testing so I should
be able to comment more on that device soon, but in general,
even WAFs have a hard time at this.

Doubt this will make this list as last I checked SF still blocks
gmail forwarded email.

Arian J. Evans
software security stuff

On Thu, Feb 14, 2008 at 10:44 AM, Gary Flynn <flynngn () jmu edu> wrote:
> Are any current network based IDS/P systems able to unwind
> obfuscated web script to examine the final javascript product?
> It would seem they would have to have a javascript engine to
> do so and issues with reassembly, iterations, and delays
> would preclude them from doing it inline.
>
> Without this capability, it would seem that network based
> IDS/IPS is destined to digress to AV style malware
> signatures for malicious web server issues and that the only
> reliable place to do IDS/P would be on the host.
>
> We've been seeing more and more obfuscated web script and
> according to a recently released IBM report, the majority
> of exploits are taking this path.
>
> http://www.iss.net/x-force_report_images/2008/index.html
>
> Thoughts?
>
> --
> Gary Flynn
> Security Engineer
> James Madison University
> www.jmu.edu/computing/security



-- 
Arian Evans
software security stuff

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------