IDS mailing list archives
RE: Obfuscated web pages
From: "Mike Barkett" <mbarkett () us checkpoint com>
Date: Thu, 14 Feb 2008 18:42:09 -0500
-----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Mike Lococo Sent: Thursday, February 14, 2008 4:51 PMAre any current network based IDS/P systems able to unwind obfuscated web script to examine the final javascript product?Others have noted that this isn't often attempted, but it should also be mentioned that it *can't* be done generically for links of any significant bandwidth. If the unwinding routine takes a tenth of a second to run on a fast modern processor the web-browser user won't notice at all. Your IDS, on the other hand, will fall over at 10 packets/second. As processors get faster, attackers will use more complex unwinding routines to ensure the CPU load is prohibitive for an IDS.
Mike - An alternative would be to prevent routines that are too complex by default, and allow the administrator to define higher thresholds or whitelists for trusted sites. Also, the IDS wouldn't fall over if it were capable of any kind of parallelization; just those particular connections would be delayed. Bear in mind, we're still talking about a theoretical DOM inspector here, as opposed to an extant general purpose IPS product.
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Gary Flynn Sent: Thursday, February 14, 2008 4:18 PM I suspect that no vendors support this feature ( actual code execution in some sort of sandbox ) and I was just trying to verify it.
Gary - Actually, the Check Point IPS-1 (formerly NFR) sensor engine has, for many years, executed protections in a "sandbox" so that no single protection can dominate the processor(s). So, if someone were to write N-code to try to interpret generalized code, it would operate in that same sandbox, for lack of a better term. This even applies inline. However, just to be clear, off the shelf, IPS-1 does not do any of the theoretical DOM validation stuff previously mentioned in this thread. -MAB -- Michael A Barkett, CISSP IPS Security Engineering Director Check Point Software Technologies +1.240.632.9000 Fax: +1.240.747.3512 ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
Current thread:
- Re: Obfuscated web pages, (continued)
- Re: Obfuscated web pages Tim (Feb 14)
- Re: Obfuscated web pages Gary Flynn (Feb 14)
- Re: Obfuscated web pages Jon Oberheide (Feb 15)
- Re: Obfuscated web pages Dustin D. Trammell (Feb 15)
- Re: Obfuscated web pages Gary Flynn (Feb 14)
- Re: Obfuscated web pages Kowsik (Feb 14)
- RE: Obfuscated web pages Libershal, David M. (Feb 14)
- Re: Obfuscated web pages Gary Flynn (Feb 14)
- Re: Obfuscated web pages Stefano Zanero (Feb 19)
- Re: Obfuscated web pages Gary Flynn (Feb 14)
- Re: Obfuscated web pages Arian J. Evans (Feb 14)
- Re: Obfuscated web pages Mike Lococo (Feb 14)
- RE: Obfuscated web pages Mike Barkett (Feb 15)
- Re: Obfuscated web pages Ivan Arce (Feb 21)
- RE: Obfuscated web pages Mike Barkett (Feb 25)
- Re: Obfuscated web pages Ivan Arce (Feb 29)
- RE: Obfuscated web pages Mike Barkett (Feb 15)
- Re: Obfuscated web pages Tim (Feb 14)
- Re: Obfuscated web pages Arian J. Evans (Feb 15)
- RE: Obfuscated web pages Mike Barkett (Feb 15)
- Re: Obfuscated web pages Ivan Arce (Feb 21)