Re: Obfuscated web pages



On Thu, 2008-02-14 at 16:17 -0500, Gary Flynn wrote:
Tim wrote:
The specific issue of JavaScript obfuscation drives this point home
quite well. IMO, it is unlikely that any IDS engine could implement
the beast that is ECMAScript and all of it's children and still be safe
while reliably detecting attacks. It approaches issues similar to the
halting problem.

I suspect that no vendors support this feature ( actual code
execution in some sort of sandbox ) and I was just trying to
verify it.

Also on Thu, 2008-02-14 at 16:05 -0500, Gary Flynn wrote:
Libershal, David M. wrote:
The TippingPoint IPS has 8 filters that deal with obfuscated code - 4 for
http packets and 2 for SMTP traffic.

I've seen signatures in other products that detect standard
encodings of things like shellcode. Is this what it is
doing?

Oddly enough, I just published a paper on shellcode encoding for evading
network security/monitoring systems that cites two different projects
that attempt to do this type of thing for shellcode in real-time in a
sandbox environment, however they both were not ID/PS systems:

http://www.uninformed.org/?v=9&a=3&t=sumry

--
Dustin D. Trammell
Security Researcher
BreakingPoint Systems, Inc.

Attachment: signature.asc
Description: This is a digitally signed message part