Re: Obfuscated web pages

Gary Flynn wrote:

> I've seen signatures in other products that detect standard
> encodings of things like shellcode. Is this what it is
> doing?

Don't tell this to David Maynor, who some time ago claimed that no IDPS 
vendor does this :)
(http://erratasec.blogspot.com/2007/03/yet-more-blogging-blackhat.html)

In fact, that's a quite common approach which does not work, as I 
illustrated maybe even too many times:
http://www.blackhat.com/presentations/bh-dc-07/Zanero/Presentation/bh-dc-07-Zanero.pdf

Doing the same thing over with scripts is just as silly. You cannot 
decode everything at the speed that you need, and in addition, as it was 
pointed out in 1998 (TEN YEARS ago) by Ptacek and Newsham, trying to 
cope with all the possible ways to create insertion or evasion attacks 
will automatically generate a load of false positives.

Best,
Stefano

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------