Re: Obfuscated web pages

["Dustin D. Trammell" <dtrammell () bpointsys com>]

On Thu, 2008-02-14 at 16:17 -0500, Gary Flynn wrote:
> Tim wrote:
> > The specific issue of JavaScript obfuscation drives this point home
> > quite well.   IMO, it is unlikely that any IDS engine could implement
> > the beast that is ECMAScript and all of it's children and still be safe
> > while reliably detecting attacks.  It approaches issues similar to the
> > halting problem.
>
> I suspect that no vendors support this feature ( actual code
> execution in some sort of sandbox ) and I was just trying to
> verify it.

Also on Thu, 2008-02-14 at 16:05 -0500, Gary Flynn wrote: 
> Libershal, David M. wrote:
> > The TippingPoint IPS has 8 filters that deal with obfuscated code - 4 for
> > http packets and 2 for SMTP traffic.
>
> I've seen signatures in other products that detect standard
> encodings of things like shellcode. Is this what it is
> doing?

Oddly enough, I just published a paper on shellcode encoding for evading
network security/monitoring systems that cites two different projects
that attempt to do this type of thing for shellcode in real-time in a
sandbox environment, however they both were not ID/PS systems:

http://www.uninformed.org/?v=9&a=3&t=sumry

-- 
Dustin D. Trammell
Security Researcher
BreakingPoint Systems, Inc.

Attachment: signature.asc
Description: This is a digitally signed message part