Re: Obfuscated web pages
- From: Stefano Zanero <s.zanero@xxxxxxxxxxxxxxxx>
- Date: Fri, 15 Feb 2008 21:16:45 +0100
Gary Flynn wrote:
I've seen signatures in other products that detect standard
encodings of things like shellcode. Is this what it is
doing?
Don't tell this to David Maynor, who some time ago claimed that no IDPS vendor does this :)
(http://erratasec.blogspot.com/2007/03/yet-more-blogging-blackhat.html)
In fact, that's a quite common approach which does not work, as I illustrated maybe even too many times:
http://www.blackhat.com/presentations/bh-dc-07/Zanero/Presentation/bh-dc-07-Zanero.pdf
Doing the same thing over with scripts is just as silly. You cannot decode everything at the speed that you need, and in addition, as it was pointed out in 1998 (TEN YEARS ago) by Ptacek and Newsham, trying to cope with all the possible ways to create insertion or evasion attacks will automatically generate a load of false positives.
Best,
Stefano
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more.
------------------------------------------------------------------------
- References:
- Obfuscated web pages
- From: Gary Flynn
- RE: Obfuscated web pages
- From: Libershal, David M.
- Re: Obfuscated web pages
- From: Gary Flynn
- Obfuscated web pages
- Prev by Date: Re: Obfuscated web pages
- Next by Date: Re: Obfuscated web pages
- Previous by thread: Re: Obfuscated web pages
- Next by thread: Re: Obfuscated web pages
- Index(es):
