IDS mailing list archives
Re: ISS's IPS and Javascript interpreter
From: levinson_k () securityadmin info
Date: 5 Jan 2007 03:38:35 -0000
This is one drawback to IDS/IPS vendors like ISS that use closed source signatures: you're never entirely sure what their detection capabilities are, or how good. But for the full answer, you should read the thread here from this week on IPS evasion, if you haven't already. This kind of attack can probably be coded to evade pretty much any IDS or IPS. Even something as simple as using HTTPS encryption, a different encoding method or insertion of meaningless ignored characters foils most NIDS/NIPS deployments. IMHO, the answer is that all network-based IDS/IPS are roughly equally customizable to be able to detect such attacks with your own signatures, and all NIDS/NIPS are roughly equally easy to conceal such attacks from, with a little effort and some known evasion techniques that are a decade old. I believe many of the current exploits today that use javascript to build the payload, commonly use a series of NOOP-like codes such as %u9090 to pad the code as needed. You can easily add one or several custom signatures to detect today's javascripted attacks (for example, a sig looking for a string of five or so %u9090 codes transmitted across common HTTP ports like TCP 80, 8080, etc.). I find you get very few false positives with this kind of signature, compared to the traditional binary / hex encoded 0x90 NOOP signatures most IDS/IPS products use today. (You will however see some actual attacks that aren't "interesting," because they weren't successful and weren't intentionally directed specifically at your users. And because there are many varieties of NOOP characters and ways of encoding / encrypting them, you can never be guaranteed of detecting all such future attacks.) Such a signature could very well be safe to deploy with automatic IPS blocking in many environments. In a sizable environment, you may very well see more alerts / attacks than you could possibly investigate by manual means. kind regards, Karl Levinson http://securityadmin.info ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
Current thread:
- Re: ISS's IPS and Javascript interpreter levinson_k (Jan 05)