IDS mailing list archives
Re: Obfuscated web pages
From: Jon Oberheide <jon () oberheide org>
Date: Thu, 14 Feb 2008 21:28:53 -0500
On Thu, 2008-02-14 at 16:17 -0500, Gary Flynn wrote:
Tim wrote:The specific issue of JavaScript obfuscation drives this point home quite well. IMO, it is unlikely that any IDS engine could implement the beast that is ECMAScript and all of it's children and still be safe while reliably detecting attacks. It approaches issues similar to the halting problem.I suspect that no vendors support this feature ( actual code execution in some sort of sandbox ) and I was just trying to verify it.
I would recommend checking out SpyProxy, presented at last year's USENIX Security. While it's not a commercial vendor-supported product and has its share of limitations, it does demonstrate that an inline execution-based IDS/IPS proxy may be feasible: http://www.cs.washington.edu/homes/tbragin/spyproxy.pdf Regards, Jon Oberheide -- Jon Oberheide <jon () oberheide org> GnuPG Key: 1024D/F47C17FE Fingerprint: B716 DA66 8173 6EDD 28F6 F184 5842 1C89 F47C 17FE
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- Obfuscated web pages Gary Flynn (Feb 14)
- Re: Obfuscated web pages Tim (Feb 14)
- Re: Obfuscated web pages Gary Flynn (Feb 14)
- Re: Obfuscated web pages Jon Oberheide (Feb 15)
- Re: Obfuscated web pages Dustin D. Trammell (Feb 15)
- Re: Obfuscated web pages Gary Flynn (Feb 14)
- Re: Obfuscated web pages Kowsik (Feb 14)
- RE: Obfuscated web pages Libershal, David M. (Feb 14)
- Re: Obfuscated web pages Gary Flynn (Feb 14)
- Re: Obfuscated web pages Stefano Zanero (Feb 19)
- Re: Obfuscated web pages Gary Flynn (Feb 14)
- Re: Obfuscated web pages Arian J. Evans (Feb 14)
- Re: Obfuscated web pages Mike Lococo (Feb 14)
- RE: Obfuscated web pages Mike Barkett (Feb 15)
- Re: Obfuscated web pages Ivan Arce (Feb 21)
- RE: Obfuscated web pages Mike Barkett (Feb 25)
- RE: Obfuscated web pages Mike Barkett (Feb 15)
- Re: Obfuscated web pages Tim (Feb 14)