Re: Obfuscated web pages
- From: Mike Lococo <mike.lococo@xxxxxxx>
- Date: Thu, 14 Feb 2008 16:50:42 -0500
Are any current network based IDS/P systems able to unwind
obfuscated web script to examine the final javascript product?
Others have noted that this isn't often attempted, but it should also be mentioned that it *can't* be done generically for links of any significant bandwidth. If the unwinding routine takes a tenth of a second to run on a fast modern processor the web-browser user won't notice at all. Your IDS, on the other hand, will fall over at 10 packets/second. As processors get faster, attackers will use more complex unwinding routines to ensure the CPU load is prohibitive for an IDS.
Without this capability, it would seem that network based
IDS/IPS is destined to digress to AV style malware
signatures for malicious web server issues and that the only
reliable place to do IDS/P would be on the host.
As others have noted, both A/V and IDS are signature based detection mechanisms, so that issue exists independent of the obfuscation/unwinding issue.
Thanks,
Mike Lococo
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more.
------------------------------------------------------------------------
- Follow-Ups:
- RE: Obfuscated web pages
- From: Mike Barkett
- RE: Obfuscated web pages
- References:
- Obfuscated web pages
- From: Gary Flynn
- Obfuscated web pages
- Prev by Date: Re: Obfuscated web pages
- Next by Date: Re: Obfuscated web pages
- Previous by thread: Re: Obfuscated web pages
- Next by thread: RE: Obfuscated web pages
- Index(es):
Relevant Pages
|
