IDS mailing list archives
Re: Obfuscated web pages
From: Mike Lococo <mike.lococo () nyu edu>
Date: Thu, 14 Feb 2008 16:50:42 -0500
Are any current network based IDS/P systems able to unwind obfuscated web script to examine the final javascript product?
Others have noted that this isn't often attempted, but it should also be mentioned that it *can't* be done generically for links of any significant bandwidth. If the unwinding routine takes a tenth of a second to run on a fast modern processor the web-browser user won't notice at all. Your IDS, on the other hand, will fall over at 10 packets/second. As processors get faster, attackers will use more complex unwinding routines to ensure the CPU load is prohibitive for an IDS.
Without this capability, it would seem that network based IDS/IPS is destined to digress to AV style malware signatures for malicious web server issues and that the only reliable place to do IDS/P would be on the host.
As others have noted, both A/V and IDS are signature based detection mechanisms, so that issue exists independent of the obfuscation/unwinding issue.
Thanks, Mike Lococo ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly?Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more.
------------------------------------------------------------------------
Current thread:
- Obfuscated web pages Gary Flynn (Feb 14)
- Re: Obfuscated web pages Tim (Feb 14)
- Re: Obfuscated web pages Gary Flynn (Feb 14)
- Re: Obfuscated web pages Jon Oberheide (Feb 15)
- Re: Obfuscated web pages Dustin D. Trammell (Feb 15)
- Re: Obfuscated web pages Gary Flynn (Feb 14)
- Re: Obfuscated web pages Kowsik (Feb 14)
- RE: Obfuscated web pages Libershal, David M. (Feb 14)
- Re: Obfuscated web pages Gary Flynn (Feb 14)
- Re: Obfuscated web pages Stefano Zanero (Feb 19)
- Re: Obfuscated web pages Gary Flynn (Feb 14)
- Re: Obfuscated web pages Arian J. Evans (Feb 14)
- Re: Obfuscated web pages Mike Lococo (Feb 14)
- RE: Obfuscated web pages Mike Barkett (Feb 15)
- Re: Obfuscated web pages Ivan Arce (Feb 21)
- RE: Obfuscated web pages Mike Barkett (Feb 25)
- Re: Obfuscated web pages Ivan Arce (Feb 29)
- RE: Obfuscated web pages Mike Barkett (Feb 15)
- Re: Obfuscated web pages Tim (Feb 14)
- Re: Obfuscated web pages Arian J. Evans (Feb 15)
- RE: Obfuscated web pages Mike Barkett (Feb 15)
- Re: Obfuscated web pages Ivan Arce (Feb 21)
- <Possible follow-ups>
- Re: Obfuscated web pages parveenvashishtha (Feb 15)