I haven't seen any IDS/IPS that do this competently. ISS's "Proventia" or whatever their new all-in-wonder IPS box is claims to do this, but then it also lists as a feature that it can prevent "phishing" so my expectations are rather low.
We have someone deploying it inline for testing so I should be able to comment more on that device soon, but in general, even WAFs have a hard time at this. Doubt this will make this list as last I checked SF still blocks gmail forwarded email. Arian J. Evans software security stuff On Thu, Feb 14, 2008 at 10:44 AM, Gary Flynn <[EMAIL PROTECTED]> wrote: > > Are any current network based IDS/P systems able to unwind > obfuscated web script to examine the final javascript product? > It would seem they would have to have a javascript engine to > do so and issues with reassembly, iterations, and delays > would preclude them from doing it inline. > > Without this capability, it would seem that network based > IDS/IPS is destined to digress to AV style malware > signatures for malicious web server issues and that the only > reliable place to do IDS/P would be on the host. > > We've been seeing more and more obfuscated web script and > according to a recently released IBM report, the majority > of exploits are taking this path. > > http://www.iss.net/x-force_report_images/2008/index.html > > Thoughts? > > -- > Gary Flynn > Security Engineer > James Madison University > www.jmu.edu/computing/security > -- Arian Evans software security stuff ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
