IDS mailing list archives
Re: CSLID evasion - Client protection
From: "Stuart Staniford" <sstaniford () FireEye com>
Date: Wed, 25 Mar 2009 17:31:09 -0700
On Mar 25, 2009, at 11:07 AM, Addepalli Srini-B22160 wrote:
Hi Ravi, Regular expression based matching (however good they are) on raw data does not work in these cases. There are too many variations that arepossible. You gave one example. But many more are possible as javascriptis a programming language and there are many ways to create a string.Some support is required in the network devices to decode HTML pages andjava scripts to normalize the data before analyzing rules. I am not aware of any IDP device in the market today that does java script and HTML page analysis.
We (FireEye) do :-)Our device is not a general purpose IDS, but, in it's main mode of use, is oriented to detecting both callbacks of bots, and web-based installation of bots by drive-by downloads (by monitoring egress network links). For a typical enterprise, most desktop compromises are now occurring as a result of the web so this is a fairly useful set of functionality.
The latter (infection-detection) functionality is pretty new. We do a two stage analysis - in the first stage, we do a fast parse of the HTML and Javascript and use a variety of statistical anomaly techniques to decide that it's suspicious (eg it's clearly obfuscated). The suspicious stuff is then replayed to an actual browser/OS/set of plugins in an instrumented virtual machine. That makes the final decision (which eliminates the false positive problems that otherwise plague statistical anomaly detection techniques). We have 6-12 VMs running at all times in the appliance on whatever looks most suspicious right then.
Stuart Staniford Chief Scientist, FireEye.
Current thread:
- CSLID evasion - Client protection Ravi Chunduru (Mar 25)
- Re: CSLID evasion - Client protection Stuart Staniford (Mar 25)
- RE: CSLID evasion - Client protection Addepalli Srini-B22160 (Mar 25)
- Re: CSLID evasion - Client protection Stuart Staniford (Mar 26)
- <Possible follow-ups>
- Re: CSLID evasion - Client protection ushacker20002001 (Mar 25)