IDS mailing list archives
RE: Obfuscated web pages
From: "Mike Barkett" <mbarkett () us checkpoint com>
Date: Thu, 14 Feb 2008 16:18:07 -0500
You're really talking about the difference between client-based protections and server-based protections. Let's not throw the baby out with the bathwater; network IDS/IPS does much more than just "AV style malware signatures for malicious web server issues." Most of today's IPS products can quite deftly clean out a vast array of types of malicious activity, whether automated or not, across a bevy of network protocols, not just web. Regarding inline JS inspection, I've said it before and I still believe that one day there will be a full DOM proxy product that is capable of running inline. Yes, its speeds will lag other network devices, and yes, browser attacks will probably be yesterday's news by then anyway, but it would be foolish to suggest that it is theoretically impossible to do. In the meantime, if you have embraced defense-in-depth and gotten yourself a trustworthy network IPS, a thorough endpoint solution, and you use only locked down browsers, then you'll be ok. -MAB -- Michael A Barkett, CISSP IPS Security Engineering Director Check Point Software Technologies +1.240.632.9000 Fax: +1.240.747.3512
-----Original Message----- Are any current network based IDS/P systems able to unwind obfuscated web script to examine the final javascript product? It would seem they would have to have a javascript engine to do so and issues with reassembly, iterations, and delays would preclude them from doing it inline. Without this capability, it would seem that network based IDS/IPS is destined to digress to AV style malware signatures for malicious web server issues and that the only reliable place to do IDS/P would be on the host. We've been seeing more and more obfuscated web script and according to a recently released IBM report, the majority of exploits are taking this path. http://www.iss.net/x-force_report_images/2008/index.html Thoughts? -- Gary Flynn Security Engineer James Madison University www.jmu.edu/computing/security
------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
Current thread:
- RE: Obfuscated web pages, (continued)
- RE: Obfuscated web pages Libershal, David M. (Feb 14)
- Re: Obfuscated web pages Gary Flynn (Feb 14)
- Re: Obfuscated web pages Stefano Zanero (Feb 19)
- Re: Obfuscated web pages Gary Flynn (Feb 14)
- Re: Obfuscated web pages Arian J. Evans (Feb 14)
- Re: Obfuscated web pages Mike Lococo (Feb 14)
- RE: Obfuscated web pages Mike Barkett (Feb 15)
- Re: Obfuscated web pages Ivan Arce (Feb 21)
- RE: Obfuscated web pages Mike Barkett (Feb 25)
- Re: Obfuscated web pages Ivan Arce (Feb 29)
- RE: Obfuscated web pages Mike Barkett (Feb 15)
- RE: Obfuscated web pages Libershal, David M. (Feb 14)
- Re: Obfuscated web pages Arian J. Evans (Feb 15)
- RE: Obfuscated web pages Mike Barkett (Feb 15)
- Re: Obfuscated web pages Ivan Arce (Feb 21)
- Re: Obfuscated web pages Dustin D. Trammell (Feb 21)