Stuart Staniford wrote:
> The original example was artificial, but the issue is very real.
Stuart, we are deviating from the original issue
> A common obfuscation technique in javascript (more common a year or
> two ago) is to have something like:
[...]
> A simple string matching signature mechanism is useless here (you can
> alert on things like "eval(unescape(" and some IDS's do, but you will false
> positive like crazy as legitimate pages also use the idiom).
Really, you're pushing on an open door here. My whole research life has
been dedicated to anomaly detection, and I completely agree on simple
pattern matching being useless against such attacks and being far from
complete.
I just didn't agree on the specific example raised by Damiano, as I
don't see it happening anywhere in a real attack. Your example is much
more compelling (and you'll find similar ones in all of my
presentations, as well as Damiano's, I'm sure ;-)
SZ
