> -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > On Behalf Of Mike Lococo > Sent: Thursday, February 14, 2008 4:51 PM > > > Are any current network based IDS/P systems able to unwind > > obfuscated web script to examine the final javascript product? > > Others have noted that this isn't often attempted, but it should also be > mentioned that it *can't* be done generically for links of any > significant bandwidth. If the unwinding routine takes a tenth of a > second to run on a fast modern processor the web-browser user won't > notice at all. Your IDS, on the other hand, will fall over at 10 > packets/second. As processors get faster, attackers will use more > complex unwinding routines to ensure the CPU load is prohibitive for an > IDS.
Mike - An alternative would be to prevent routines that are too complex by default, and allow the administrator to define higher thresholds or whitelists for trusted sites. Also, the IDS wouldn't fall over if it were capable of any kind of parallelization; just those particular connections would be delayed. Bear in mind, we're still talking about a theoretical DOM inspector here, as opposed to an extant general purpose IPS product. > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > On Behalf Of Gary Flynn > Sent: Thursday, February 14, 2008 4:18 PM > > I suspect that no vendors support this feature ( actual code > execution in some sort of sandbox ) and I was just trying to > verify it. > Gary - Actually, the Check Point IPS-1 (formerly NFR) sensor engine has, for many years, executed protections in a "sandbox" so that no single protection can dominate the processor(s). So, if someone were to write N-code to try to interpret generalized code, it would operate in that same sandbox, for lack of a better term. This even applies inline. However, just to be clear, off the shelf, IPS-1 does not do any of the theoretical DOM validation stuff previously mentioned in this thread. -MAB -- Michael A Barkett, CISSP IPS Security Engineering Director Check Point Software Technologies +1.240.632.9000 Fax: +1.240.747.3512 ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
