Are any current network based IDS/P systems able to unwind obfuscated web script to examine the final javascript product? It would seem they would have to have a javascript engine to do so and issues with reassembly, iterations, and delays would preclude them from doing it inline.
Without this capability, it would seem that network based IDS/IPS is destined to digress to AV style malware signatures for malicious web server issues and that the only reliable place to do IDS/P would be on the host. We've been seeing more and more obfuscated web script and according to a recently released IBM report, the majority of exploits are taking this path. http://www.iss.net/x-force_report_images/2008/index.html Thoughts? -- Gary Flynn Security Engineer James Madison University www.jmu.edu/computing/security
smime.p7s
Description: S/MIME Cryptographic Signature
