Re: Obfuscated web pages

I haven't seen any IDS/IPS that do this competently.

ISS's "Proventia" or whatever their new all-in-wonder IPS box is
claims to do this, but then it also lists as a feature that it can
prevent "phishing" so my expectations are rather low.

We have someone deploying it inline for testing so I should
be able to comment more on that device soon, but in general,
even WAFs have a hard time at this.

Doubt this will make this list as last I checked SF still blocks
gmail forwarded email.

Arian J. Evans
software security stuff

On Thu, Feb 14, 2008 at 10:44 AM, Gary Flynn <flynngn@xxxxxxx> wrote:

Are any current network based IDS/P systems able to unwind
obfuscated web script to examine the final javascript product?
It would seem they would have to have a javascript engine to
do so and issues with reassembly, iterations, and delays
would preclude them from doing it inline.

Without this capability, it would seem that network based
IDS/IPS is destined to digress to AV style malware
signatures for malicious web server issues and that the only
reliable place to do IDS/P would be on the host.

We've been seeing more and more obfuscated web script and
according to a recently released IBM report, the majority
of exploits are taking this path.


Gary Flynn
Security Engineer
James Madison University

Arian Evans
software security stuff

Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to
to learn more.