IDS mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Obfuscated web pages

From: "Mike Barkett" <mbarkett () us checkpoint com>
Date: Fri, 29 Feb 2008 17:28:36 -0500

Well, my friend, I guess we will have to agree to disagree and leave it at
that for now.  As you said, the topic is tiresome now that our respective
opinions are already on the table, and surely time will tell.

The only part I feel compelled to respond to is the sentence below in which
you wryly call out my method of argumentation.  To reiterate, I answered two
separate questions differently: the original thread query (re: DOM
inspection) in the hypothetical future tense, using past experiences as
support for an opinion; and an ancillary question (re: sandboxed signatures)
in the literal present, using current facts as support.  No mixing of
abstraction necessary.


Hopefully the thoughts expressed in this thread will inspire one of the many
college students on this list to take up the challenge, and try to
demonstrate whether or not inline JS inspection can be made to be somewhat
useful.  If anyone does decide to try to implement it with N-code or any
other language, then let me know and I'd be happy to lend some ideas to the
cause.


Thanks.
-MAB

--
Michael A Barkett, CISSP
IPS Security Engineering Director
Check Point Software Technologies
+1.240.632.9000 Fax: +1.240.747.3512



-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Ivan Arce
Sent: Thursday, February 28, 2008 8:14 PM
To: Mike Barkett; focus-ids () securityfocus com
Subject: Re: Obfuscated web pages

...

generally not the tone of this list, and I doubt either of us has the

time.

In my opinion, it would be a mistake to flout the continued maturation

of

analysis technology, much as was done by the many people who a decade

ago

thought that IPS was infeasible.  Ptacek and Newsham's paper was

seminal,

and defense against those principles is a must-have in the IPS world

today,

but let's not forget that 10 years ago many were citing that paper as a
harbinger of doom for IDS, not to mention IPS.  Yet, within a couple

years,

the better IDS products had accounted for all the methods.


You seem to mix different layers of abstraction in the manner that best
serves to support your opinion, which is completely fair game but not
necessarily accurate.



------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: