Re: Obfuscated web pages

[Gary Flynn <flynngn () jmu edu>]

Tim wrote:
> > Without this capability, it would seem that network based
> > IDS/IPS is destined to digress to AV style malware
> > signatures for malicious web server issues and that the only
> > reliable place to do IDS/P would be on the host.
>
> Signature-based IDS systems are exactly like AV systems, just network
> focussed.  They are always going to be at least one step behind
> attackers.
>
> The specific issue of JavaScript obfuscation drives this point home
> quite well.   IMO, it is unlikely that any IDS engine could implement
> the beast that is ECMAScript and all of it's children and still be safe
> while reliably detecting attacks.  It approaches issues similar to the
> halting problem.

I agree that it would be hard though some of the issues could
be addressed with a watchdog timer limiting iterations or
processing time. Of course those same measures would provide a
way to bypass the device. Then again, code behavior that trips
those limits may be unique to malicious code so it could be
used as a reason to drop the associated traffic anyway.

I suspect that no vendors support this feature ( actual code
execution in some sort of sandbox ) and I was just trying to
verify it.


--
Gary Flynn
Security Engineer
James Madison University
www.jmu.edu/computing/security

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature