IDS mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Obfuscated web pages

From: Mike Lococo <mike.lococo () nyu edu>
Date: Thu, 14 Feb 2008 16:50:42 -0500
Are any current network based IDS/P systems able to unwind
obfuscated web script to examine the final javascript product?
Others have noted that this isn't often attempted, but it should also be mentioned that it *can't* be done generically for links of any significant bandwidth. If the unwinding routine takes a tenth of a second to run on a fast modern processor the web-browser user won't notice at all. Your IDS, on the other hand, will fall over at 10 packets/second. As processors get faster, attackers will use more complex unwinding routines to ensure the CPU load is prohibitive for an IDS. 


Without this capability, it would seem that network based
IDS/IPS is destined to digress to AV style malware
signatures for malicious web server issues and that the only
reliable place to do IDS/P would be on the host.
As others have noted, both A/V and IDS are signature based detection mechanisms, so that issue exists independent of the obfuscation/unwinding issue. 

Thanks,
Mike Lococo

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. 
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: