Are any current network based IDS/P systems able to unwind
obfuscated web script to examine the final javascript product?
Others have noted that this isn't often attempted, but it should also be
mentioned that it *can't* be done generically for links of any
significant bandwidth. If the unwinding routine takes a tenth of a
second to run on a fast modern processor the web-browser user won't
notice at all. Your IDS, on the other hand, will fall over at 10
packets/second. As processors get faster, attackers will use more
complex unwinding routines to ensure the CPU load is prohibitive for an IDS.
Without this capability, it would seem that network based
IDS/IPS is destined to digress to AV style malware
signatures for malicious web server issues and that the only
reliable place to do IDS/P would be on the host.
As others have noted, both A/V and IDS are signature based detection
mechanisms, so that issue exists independent of the
obfuscation/unwinding issue.
Thanks,
Mike Lococo
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------
