> Without this capability, it would seem that network based > IDS/IPS is destined to digress to AV style malware > signatures for malicious web server issues and that the only > reliable place to do IDS/P would be on the host.
Signature-based IDS systems are exactly like AV systems, just network focussed. They are always going to be at least one step behind attackers. The specific issue of JavaScript obfuscation drives this point home quite well. IMO, it is unlikely that any IDS engine could implement the beast that is ECMAScript and all of it's children and still be safe while reliably detecting attacks. It approaches issues similar to the halting problem. tim ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
