IDS mailing list archives
Re: Obfuscated web pages
From: Tim <tim-security () sentinelchicken org>
Date: Thu, 14 Feb 2008 11:51:39 -0800
Without this capability, it would seem that network based IDS/IPS is destined to digress to AV style malware signatures for malicious web server issues and that the only reliable place to do IDS/P would be on the host.
Signature-based IDS systems are exactly like AV systems, just network focussed. They are always going to be at least one step behind attackers. The specific issue of JavaScript obfuscation drives this point home quite well. IMO, it is unlikely that any IDS engine could implement the beast that is ECMAScript and all of it's children and still be safe while reliably detecting attacks. It approaches issues similar to the halting problem. tim ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
Current thread:
- Obfuscated web pages Gary Flynn (Feb 14)
- Re: Obfuscated web pages Tim (Feb 14)
- Re: Obfuscated web pages Gary Flynn (Feb 14)
- Re: Obfuscated web pages Jon Oberheide (Feb 15)
- Re: Obfuscated web pages Dustin D. Trammell (Feb 15)
- Re: Obfuscated web pages Gary Flynn (Feb 14)
- Re: Obfuscated web pages Kowsik (Feb 14)
- RE: Obfuscated web pages Libershal, David M. (Feb 14)
- Re: Obfuscated web pages Gary Flynn (Feb 14)
- Re: Obfuscated web pages Stefano Zanero (Feb 19)
- Re: Obfuscated web pages Gary Flynn (Feb 14)
- Re: Obfuscated web pages Arian J. Evans (Feb 14)
- Re: Obfuscated web pages Mike Lococo (Feb 14)
- RE: Obfuscated web pages Mike Barkett (Feb 15)
(Thread continues...)
- Re: Obfuscated web pages Tim (Feb 14)