IDS mailing list archives
Re: Obfuscated web pages
From: Stefano Zanero <zanero () elet polimi it>
Date: Sat, 01 Mar 2008 23:45:25 +0100
dxp wrote:
You forgot to mention another good signature "Javascript_NOOP_Sled". It used to provide decent detection about a year ago, now it's useless against obfuscated code.
And it was very easy to guess it would end like this.Generic "shellcode" signatures worked only as long as the bad guys didn't get the point that they were substantially useless. Javascript is going down the same route. Amazing how things never change and how we love getting fscked always in the same way :)
However, all these ISS Javascript script signatures have a very high False Positive rate. Since you work for IBM perhaps you can get this across to the right people.
You cannot really do them "right", because the less false positives you generate, the less true positives you hit. You are better off just disabling such sigs.
My .02 EUR (which is close to .03USD these days) Stefan ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly?Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more.
------------------------------------------------------------------------
Current thread:
- Re: Obfuscated web pages Stefano Zanero (Mar 04)
- <Possible follow-ups>
- RE: Obfuscated web pages Mike Barkett (Mar 04)