Re: Obfuscated web pages

[Stefano Zanero <zanero () elet polimi it>]

dxp wrote:
> You forgot to mention another good signature "Javascript_NOOP_Sled".  It
> used to provide decent detection about a year ago, now it's useless
> against obfuscated code.

And it was very easy to guess it would end like this.

Generic "shellcode" signatures worked only as long as the bad guys 
didn't get the point that they were substantially useless. Javascript is 
going down the same route. Amazing how things never change and how we 
love getting fscked always in the same way :)

> However, all these ISS Javascript script signatures have a very high
> False Positive rate.  Since you work for IBM perhaps you can get this
> across to the right people.

You cannot really do them "right", because the less false positives you 
generate, the less true positives you hit. You are better off just 
disabling such sigs.

My .02 EUR (which is close to .03USD these days)
Stefan

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------