Re: Re: how to avoid false positive in generic cross site scripting attack ids signature

From: "Abhishek Bhuyan" <abhuyan@xxxxxxxxx>
Date: Sun, 11 Feb 2007 15:37:07 +0530

How about UTF-7 XSS attack?
False positive will be there, you need to reduce it as much as
possible. But just checking for javascript: is not a good idea.
Keeping an eye on no. of occurrence of particular patterns might help.

On 6 Feb 2007 11:44:45 -0000, rathnach@xxxxxxxxx <rathnach@xxxxxxxxx> wrote:

1st is, whether executing javascript on clients browser context in http req. is permissible.

>>>>>> we don't have any control to implement policy to restrict developers using such feature.

2nd as yahoo is one of the most visted sit, how can avoid cjances of false postive, and is there any way to harden this signature.
>>>>>>IDS detection is most effective only when it is configured properly and signatures are specific to attack.

Generic signatures are only good to identify unknown attacks,Provided you have good logging capability. but problem is false positives.
My would suggest is to find some vulnerable file path + XXS pattern to be more effective.

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more.
------------------------------------------------------------------------

References:
- Re: Re: how to avoid false positive in generic cross site scripting attack ids signature
  - From: rathnach

Prev by Date: RE: Distributed intrusion detection systems
Next by Date: RE: IPS and Trunking
Previous by thread: Re: Re: how to avoid false positive in generic cross site scripting attack ids signature
Next by thread: IPS and Trunking
Index(es):
- Date
- Thread

Relevant Pages

RE: False Positives with IntruVert
... right on defense for IPS that I have seen. ... Subject: False Positives with IntruVert ... There are clearly attacks that will 100% not false positive. ...
(Focus-IDS)
RE: False Positives with IntruVert
... Subject: False Positives with IntruVert ... a different statement than IPS is not functional or not worth time or money. ... prevent attacks, ... profiled the attacks (signature or anomaly or combination of both)) has ...
(Focus-IDS)
RE: False Positives with IntruVert
... product but to put into perspective the CURRENT value of IPS. ... There are clearly attacks that will 100% not false positive. ... have all been burned with false positives and I am sure that is where the ... Subject: False Positives with IntruVert ...
(Focus-IDS)
RE: Network hardware IPS
... Assunto: RE: Network hardware IPS ... > are going to catch novel or semi-novel attacks using very specific rules ... > produce more false positives than we can handle, ... being "attacked" on something you have no vulnerability against (i.e. you ...
(Focus-IDS)
RE: Firewall Activity analysis
... steadily progressing along with anomaly detection at the higher level. ... false positives this is true however that level of false positive can be ... any new attacks that the attacker ... those logs might show up in AIDE, and finally if they crashed the apache ...
(Focus-IDS)