Libershal, David M. wrote:
The TippingPoint IPS has 8 filters that deal with obfuscated code - 4 for
http packets and 2 for SMTP traffic.
I've seen signatures in other products that detect standard
encodings of things like shellcode. Is this what it is
doing?
David Libershal
Network Security Engineer
Enterprise Telecommunications Group
Johns Hopkins University Applied Physics Laboratory
11100 Johns Hopkins Rd
Laurel, MD 20723-6099
443-778-7196 (office)
443-778-5727 (FAX)
-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com] On
Behalf Of Gary Flynn
Sent: Thursday, February 14, 2008 1:45 PM
To: focus-ids@securityfocus.com
Subject: Obfuscated web pages
Are any current network based IDS/P systems able to unwind obfuscated web
script to examine the final javascript product?
It would seem they would have to have a javascript engine to do so and
issues with reassembly, iterations, and delays would preclude them from
doing it inline.
Without this capability, it would seem that network based IDS/IPS is
destined to digress to AV style malware signatures for malicious web server
issues and that the only reliable place to do IDS/P would be on the host.
We've been seeing more and more obfuscated web script and according to a
recently released IBM report, the majority of exploits are taking this path.
http://www.iss.net/x-force_report_images/2008/index.html
Thoughts?
--
Gary Flynn
Security Engineer
James Madison University
www.jmu.edu/computing/security
--
Gary Flynn
Security Engineer
James Madison University
www.jmu.edu/computing/security
smime.p7s
Description: S/MIME Cryptographic Signature
