On 14/02/2008, Gary Flynn <[EMAIL PROTECTED]> wrote: > > Are any current network based IDS/P systems able to unwind > obfuscated web script to examine the final javascript product? > It would seem they would have to have a javascript engine to > do so and issues with reassembly, iterations, and delays > would preclude them from doing it inline.
This is a real issue these days - just try out metasploit v.3's web-based attacks against snort and see how many you can detect. I don't know of any sensible way to do this in IDS - you can crawl URLs with honeypots such as CaptureHPC ( https://www.client-honeynet.org/capture.html ) to see if they are actually malicious. However scaling this up to check all the URLs that have been visited by your users is not a simple task. cheers, Jamie -- Jamie Riden / [EMAIL PROTECTED] / [EMAIL PROTECTED] UK Honeynet Project: http://www.ukhoneynet.org/ ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
