Re: Obfuscated web pages

[Gary Flynn <flynngn () jmu edu>]

Libershal, David M. wrote:
> The TippingPoint IPS has 8 filters that deal with obfuscated code - 4 for
> http packets and 2 for SMTP traffic.

I've seen signatures in other products that detect standard
encodings of things like shellcode. Is this what it is
doing?

> David Libershal 
> Network Security Engineer
> Enterprise Telecommunications Group
>
> Johns Hopkins University Applied Physics Laboratory
> 11100 Johns Hopkins Rd
> Laurel, MD 20723-6099
>
> 443-778-7196 (office)
> 443-778-5727 (FAX)
>
>  
>
> -----Original Message-----
> From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
> Behalf Of Gary Flynn
> Sent: Thursday, February 14, 2008 1:45 PM
> To: focus-ids () securityfocus com
> Subject: Obfuscated web pages
>
>
> Are any current network based IDS/P systems able to unwind obfuscated web
> script to examine the final javascript product?
> It would seem they would have to have a javascript engine to do so and
> issues with reassembly, iterations, and delays would preclude them from
> doing it inline.
>
> Without this capability, it would seem that network based IDS/IPS is
> destined to digress to AV style malware signatures for malicious web server
> issues and that the only reliable place to do IDS/P would be on the host.
>
> We've been seeing more and more obfuscated web script and according to a
> recently released IBM report, the majority of exploits are taking this path.
>
> http://www.iss.net/x-force_report_images/2008/index.html
>
> Thoughts?
>
> --
> Gary Flynn
> Security Engineer
> James Madison University
> www.jmu.edu/computing/security


--
Gary Flynn
Security Engineer
James Madison University
www.jmu.edu/computing/security

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature