Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-IDS
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Obfuscated web pages

from [Mike Barkett] Network Security [Permanent Link]
Subject: RE: Obfuscated web pages
Date: Thu, 14 Feb 2008 16:18:07 -0500 
You're really talking about the difference between client-based protections
and server-based protections.  Let's not throw the baby out with the
bathwater; network IDS/IPS does much more than just "AV style malware
signatures for malicious web server issues."  Most of today's IPS products
can quite deftly clean out a vast array of types of malicious activity,
whether automated or not, across a bevy of network protocols, not just web.

Regarding inline JS inspection, I've said it before and I still believe that
one day there will be a full DOM proxy product that is capable of running
inline.  Yes, its speeds will lag other network devices, and yes, browser
attacks will probably be yesterday's news by then anyway, but it would be
foolish to suggest that it is theoretically impossible to do.  In the
meantime, if you have embraced defense-in-depth and gotten yourself a
trustworthy network IPS, a thorough endpoint solution, and you use only
locked down browsers, then you'll be ok.

-MAB


--
Michael A Barkett, CISSP
IPS Security Engineering Director
Check Point Software Technologies
+1.240.632.9000 Fax: +1.240.747.3512


-----Original Message-----


Are any current network based IDS/P systems able to unwind
obfuscated web script to examine the final javascript product?
It would seem they would have to have a javascript engine to
do so and issues with reassembly, iterations, and delays
would preclude them from doing it inline.

Without this capability, it would seem that network based
IDS/IPS is destined to digress to AV style malware
signatures for malicious web server issues and that the only
reliable place to do IDS/P would be on the host.

We've been seeing more and more obfuscated web script and
according to a recently released IBM report, the majority
of exploits are taking this path.

http://www.iss.net/x-force_report_images/2008/index.html

Thoughts?

--
Gary Flynn
Security Engineer
James Madison University
www.jmu.edu/computing/security



------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to 
http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
 
to learn more.
------------------------------------------------------------------------
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Obfuscated web pages, Gary Flynn
Next by Date:  Re: Obfuscated web pages, parveenvashishtha
Previous by Thread:  Re: Obfuscated web pages, Jamie Riden
Next by Thread:  Re: Obfuscated web pages, Arian J. Evans
Indexes:  [Date] [Thread] [Top] [All Lists]