Libershal, David M. wrote:
The TippingPoint IPS has 8 filters that deal with obfuscated code - 4 for http packets and 2 for SMTP traffic.
I've seen signatures in other products that detect standard encodings of things like shellcode. Is this what it is doing?
David Libershal Network Security EngineerEnterprise Telecommunications Group Johns Hopkins University Applied Physics Laboratory 11100 Johns Hopkins Rd Laurel, MD 20723-6099 443-778-7196 (office) 443-778-5727 (FAX)-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gary Flynn Sent: Thursday, February 14, 2008 1:45 PM To: [email protected] Subject: Obfuscated web pages Are any current network based IDS/P systems able to unwind obfuscated web script to examine the final javascript product? It would seem they would have to have a javascript engine to do so and issues with reassembly, iterations, and delays would preclude them from doing it inline. Without this capability, it would seem that network based IDS/IPS is destined to digress to AV style malware signatures for malicious web server issues and that the only reliable place to do IDS/P would be on the host. We've been seeing more and more obfuscated web script and according to a recently released IBM report, the majority of exploits are taking this path. http://www.iss.net/x-force_report_images/2008/index.html Thoughts? -- Gary Flynn Security Engineer James Madison University www.jmu.edu/computing/security
-- Gary Flynn Security Engineer James Madison University www.jmu.edu/computing/security
smime.p7s
Description: S/MIME Cryptographic Signature
