Re: Obfuscated web pages

[dxp <dxp2532 () gmail com>]

You forgot to mention another good signature "Javascript_NOOP_Sled".  It
used to provide decent detection about a year ago, now it's useless
against obfuscated code.
However, all these ISS Javascript script signatures have a very high
False Positive rate.  Since you work for IBM perhaps you can get this
across to the right people.

Strangely enough, current IDS vendors/devices are lacking behind in
providing adequate detection for various obfuscation methods used by the
most popular exploit toolkits.
On a practical note, it is relatively easy to create signatures to
detect these techniques, especially if one considers the unique
characteristics of each toolkit.
Although this will be a rather short term solution, until those guys
modify the toolkits, but the reality is that they (toolkit writers) tend
to copy each other's work rather then creating custom, unique solutions.

Bottom line is, it is good to collaborate and work on a long term
solution, but failing to provide detection for the current threat
landscape is irresponsible.


On Mon, 2008-02-18 at 15:32 +0000, holly.stewart () us ibm com wrote: 
> Hi, I work for IBM Internet Security Systems and was involved in the creation of the 2007 trend report.  I agree that 
> the host is the place where you need to solve this problem.  De-obfuscating traffic as a network device certainly 
> would have performance issues.  Someone had asked if the Proventia line had something to address this issue, so I 
> thought I'd clear that up.  Our IPS products do have a handful of signatures that look for Javascript obfuscation 
> (JavaScript_Unescape_Regex, JavaScript_Large_Unescape, JavaScript_Unescape_Obfuscation).
>
>
> Also, I'd like to apologize for that marketing slick that touts our IPS as being a solution for Phishing.  Although 
> there are ways you can get an IPS to address some issues related to phishing and spam, it is obviously not designed 
> to be a wholesale solution for that kind of problem.... that's why we have a market for content (email/web) products! 
>  I actually had a meeting a few weeks ago with the marketing folks to have that removed, so having someone make fun 
> of it on this list is pretty timely. :)
>
>  
>
> -Holly
>
>
> Holly Stewart
>
> Product Manager, X-Force and XFTAS
>
> IBM Internet Security Systems
>
> Atlanta, GA
-- 

-=[ dxp ]=-
0xA3F3C6E3


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------