Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-IDS
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Obfuscated web pages

from [Dustin D. Trammell] Network Security [Permanent Link]
Subject: Re: Obfuscated web pages
Date: Thu, 14 Feb 2008 17:26:44 -0600 
On Thu, 2008-02-14 at 16:17 -0500, Gary Flynn wrote:

Tim wrote:

The specific issue of JavaScript obfuscation drives this point home
quite well.   IMO, it is unlikely that any IDS engine could implement
the beast that is ECMAScript and all of it's children and still be safe
while reliably detecting attacks.  It approaches issues similar to the
halting problem.


I suspect that no vendors support this feature ( actual code
execution in some sort of sandbox ) and I was just trying to
verify it.


Also on Thu, 2008-02-14 at 16:05 -0500, Gary Flynn wrote: 

Libershal, David M. wrote:

The TippingPoint IPS has 8 filters that deal with obfuscated code - 4 for
http packets and 2 for SMTP traffic.


I've seen signatures in other products that detect standard
encodings of things like shellcode. Is this what it is
doing?


Oddly enough, I just published a paper on shellcode encoding for evading
network security/monitoring systems that cites two different projects
that attempt to do this type of thing for shellcode in real-time in a
sandbox environment, however they both were not ID/PS systems:

http://www.uninformed.org/?v=9&a=3&t=sumry

-- 
Dustin D. Trammell
Security Researcher
BreakingPoint Systems, Inc.

Attachment: signature.asc
Description: This is a digitally signed message part

[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Obfuscated web pages, Mike Barkett
Next by Date:  Re: Obfuscated web pages, Arian J. Evans
Previous by Thread:  Re: Obfuscated web pages, Jon Oberheide
Next by Thread:  Re: Obfuscated web pages, Kowsik
Indexes:  [Date] [Thread] [Top] [All Lists]