On Mar 25, 2009, at 11:07 AM, Addepalli Srini-B22160 wrote:
Hi Ravi,
Regular expression based matching (however good they are) on raw data
does not work in these cases. There are too many variations that are
possible. You gave one example. But many more are possible as
javascript
is a programming language and there are many ways to create a string.
Some support is required in the network devices to decode HTML pages
and
java scripts to normalize the data before analyzing rules. I am not
aware of any IDP device in the market today that does java script and
HTML page analysis.
We (FireEye) do :-)
Our device is not a general purpose IDS, but, in it's main mode of
use, is oriented to detecting both callbacks of bots, and web-based
installation of bots by drive-by downloads (by monitoring egress
network links). For a typical enterprise, most desktop compromises
are now occurring as a result of the web so this is a fairly useful
set of functionality.
The latter (infection-detection) functionality is pretty new. We do a
two stage analysis - in the first stage, we do a fast parse of the
HTML and Javascript and use a variety of statistical anomaly
techniques to decide that it's suspicious (eg it's clearly
obfuscated). The suspicious stuff is then replayed to an actual
browser/OS/set of plugins in an instrumented virtual machine. That
makes the final decision (which eliminates the false positive problems
that otherwise plague statistical anomaly detection techniques). We
have 6-12 VMs running at all times in the appliance on whatever looks
most suspicious right then.
Stuart Staniford
Chief Scientist, FireEye.
