Re: Javascript long string detection



Right. If traffic does not go through IPS, it has no way of detecting
exploits. Some companies allow phone traffic to go through its network
for all kinds of traffic with split tunnel mode OFF. In these cases
too, network IPS, when deployed at the right place can detect the
exploits.

thanks
Ravi


On Wed, Jun 11, 2008 at 11:21 AM, Ureleet <ureleet@xxxxxxxxx> wrote:
on the iphone? how are you going to detect that using a network based ips?

i mean, if the iphone is on wifi, but other than that...

On Mon, Jun 9, 2008 at 11:56 PM, Ravi Chunduru
<ravi.is.chunduru@xxxxxxxxx> wrote:
This seems fine to me. do you know the vulnerable version of Safari browser?

Thanks
Ravi

On Mon, Jun 9, 2008 at 7:17 PM, Srinivasa Addepalli <srao@xxxxxxxxxx> wrote:
Hi Ravi,

You are right that many IDS/IPS systems don't have java script analyzers.
Even the systems that have these analyzers will also have problems in
detecting these kinds of attacks.

One simple way is to create a signature which checks version string in
User-Agent field and javascript in response html data. If user agent
version indicates vulnerable software edition and javascript is seen, this
signature flags the administrator. Since javascript is not analyzed, there
could be false positives; but at the minimum, it provides logs and alerts to
administrator to take further action.

Srini


-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx] On
Behalf Of Ravi Chunduru
Sent: Saturday, June 07, 2008 1:55 PM
To: Focus IDS
Subject: Javascript long string detection

Hi,

I have come across this vulnerability

http://nvd.nist.gov/nvd.cfm?cvename=CVE-2008-0729

and corresponding Exploit at

http://www.milw0rm.org/exploits/5268

There are so many ways to create a long string in Javascript. How do
Network based IDS/IPS can detect these kinds of attacks? Is it
possible to create signatures to detect these attacks? Many existing
IDS/IPS devices don't have capabilities to interpret and evaluate
javascripts. So, I would think that it is nearly impossible. Any
insight?

Thanks
Ravi

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to
http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=in
tro_sfw
to learn more.
------------------------------------------------------------------------




------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------




------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------



Relevant Pages

  • Re: Javascript long string detection
    ... i mean, if the iphone is on wifi, but other than that... ... User-Agent field and javascript in response html data. ... Network based IDS/IPS can detect these kinds of attacks? ... with real-world attacks from CORE IMPACT. ...
    (Focus-IDS)
  • Re: IDSIPS that can handle one Gig
    ... especially with 64-byte UDP packets. ... There are plenty of network IPS's ... IDS/IPS devices through use of fragments. ... Find out quickly and easily by testing it with real-world attacks from ...
    (Focus-IDS)
  • RE: IDSIPS that can handle one Gig
    ... is quite a reasonable amount to assume on your average enterprise network, ... a bit of a bun fight when you place two vendors side by side and ... What is important, however, is the number of packets per second the device ... Find out quickly and easily by testing it with real-world attacks from CORE ...
    (Focus-IDS)
  • RE: HIDS/HIPS Selection Process
    ... network based, many of the same considerations are suggested. ... Subject: Re: HIDS/HIPS Selection Process ... > with real-world attacks from CORE IMPACT. ...
    (Focus-IDS)
  • Re: Writing signatures for e-mail virus attachments
    ... "it collects file transmission bytestreams from compatible network protocol state machines and performs quick decoding on file formats that have been used as exploit transmission vectors, thus treating the file format itself as a network data protocol" ... "This backend examines the file header structures of 32-bit Enhanced Metafiles and 16-bit Windows Metafiles, including the popular Aldus Placable Metafile variety. ... Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. ...
    (Focus-IDS)