Re: Obfuscated web pages

Libershal, David M. wrote:
The TippingPoint IPS has 8 filters that deal with obfuscated code - 4 for
http packets and 2 for SMTP traffic.

I've seen signatures in other products that detect standard
encodings of things like shellcode. Is this what it is

David Libershal Network Security Engineer
Enterprise Telecommunications Group

Johns Hopkins University Applied Physics Laboratory
11100 Johns Hopkins Rd
Laurel, MD 20723-6099

443-778-7196 (office)
443-778-5727 (FAX)

-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx] On
Behalf Of Gary Flynn
Sent: Thursday, February 14, 2008 1:45 PM
To: focus-ids@xxxxxxxxxxxxxxxxx
Subject: Obfuscated web pages

Are any current network based IDS/P systems able to unwind obfuscated web
script to examine the final javascript product?
It would seem they would have to have a javascript engine to do so and
issues with reassembly, iterations, and delays would preclude them from
doing it inline.

Without this capability, it would seem that network based IDS/IPS is
destined to digress to AV style malware signatures for malicious web server
issues and that the only reliable place to do IDS/P would be on the host.

We've been seeing more and more obfuscated web script and according to a
recently released IBM report, the majority of exploits are taking this path.


Gary Flynn
Security Engineer
James Madison University

Gary Flynn
Security Engineer
James Madison University

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature