Tim wrote:
Without this capability, it would seem that network based IDS/IPS is destined to digress to AV style malware signatures for malicious web server issues and that the only reliable place to do IDS/P would be on the host.Signature-based IDS systems are exactly like AV systems, just network focussed. They are always going to be at least one step behind attackers. The specific issue of JavaScript obfuscation drives this point home quite well. IMO, it is unlikely that any IDS engine could implement the beast that is ECMAScript and all of it's children and still be safe while reliably detecting attacks. It approaches issues similar to the halting problem.
I agree that it would be hard though some of the issues could be addressed with a watchdog timer limiting iterations or processing time. Of course those same measures would provide a way to bypass the device. Then again, code behavior that trips those limits may be unique to malicious code so it could be used as a reason to drop the associated traffic anyway. I suspect that no vendors support this feature ( actual code execution in some sort of sandbox ) and I was just trying to verify it. -- Gary Flynn Security Engineer James Madison University www.jmu.edu/computing/security
smime.p7s
Description: S/MIME Cryptographic Signature
