IDS mailing list archives
RE: Obfuscated web pages
From: "Mike Barkett" <mbarkett () us checkpoint com>
Date: Fri, 29 Feb 2008 17:28:36 -0500
Well, my friend, I guess we will have to agree to disagree and leave it at that for now. As you said, the topic is tiresome now that our respective opinions are already on the table, and surely time will tell. The only part I feel compelled to respond to is the sentence below in which you wryly call out my method of argumentation. To reiterate, I answered two separate questions differently: the original thread query (re: DOM inspection) in the hypothetical future tense, using past experiences as support for an opinion; and an ancillary question (re: sandboxed signatures) in the literal present, using current facts as support. No mixing of abstraction necessary. Hopefully the thoughts expressed in this thread will inspire one of the many college students on this list to take up the challenge, and try to demonstrate whether or not inline JS inspection can be made to be somewhat useful. If anyone does decide to try to implement it with N-code or any other language, then let me know and I'd be happy to lend some ideas to the cause. Thanks. -MAB -- Michael A Barkett, CISSP IPS Security Engineering Director Check Point Software Technologies +1.240.632.9000 Fax: +1.240.747.3512
-----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Ivan Arce Sent: Thursday, February 28, 2008 8:14 PM To: Mike Barkett; focus-ids () securityfocus com Subject: Re: Obfuscated web pages
...
generally not the tone of this list, and I doubt either of us has thetime.In my opinion, it would be a mistake to flout the continued maturationofanalysis technology, much as was done by the many people who a decadeagothought that IPS was infeasible. Ptacek and Newsham's paper wasseminal,and defense against those principles is a must-have in the IPS worldtoday,but let's not forget that 10 years ago many were citing that paper as a harbinger of doom for IDS, not to mention IPS. Yet, within a coupleyears,the better IDS products had accounted for all the methods.You seem to mix different layers of abstraction in the manner that best serves to support your opinion, which is completely fair game but not necessarily accurate.
------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
Current thread:
- Re: Obfuscated web pages Stefano Zanero (Mar 04)
- <Possible follow-ups>
- RE: Obfuscated web pages Mike Barkett (Mar 04)