IDS mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Obfuscated web pages

From: Stefano Zanero <s.zanero () securenetwork it>
Date: Fri, 15 Feb 2008 21:16:45 +0100
Gary Flynn wrote:


I've seen signatures in other products that detect standard
encodings of things like shellcode. Is this what it is
doing?
Don't tell this to David Maynor, who some time ago claimed that no IDPS vendor does this :) 
(http://erratasec.blogspot.com/2007/03/yet-more-blogging-blackhat.html)
In fact, that's a quite common approach which does not work, as I illustrated maybe even too many times: 
http://www.blackhat.com/presentations/bh-dc-07/Zanero/Presentation/bh-dc-07-Zanero.pdf
Doing the same thing over with scripts is just as silly. You cannot decode everything at the speed that you need, and in addition, as it was pointed out in 1998 (TEN YEARS ago) by Ptacek and Newsham, trying to cope with all the possible ways to create insertion or evasion attacks will automatically generate a load of false positives. 

Best,
Stefano

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. 
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: