On Thu, 2008-02-14 at 16:17 -0500, Gary Flynn wrote: > Tim wrote: > > The specific issue of JavaScript obfuscation drives this point home > > quite well. IMO, it is unlikely that any IDS engine could implement > > the beast that is ECMAScript and all of it's children and still be safe > > while reliably detecting attacks. It approaches issues similar to the > > halting problem. > > I suspect that no vendors support this feature ( actual code > execution in some sort of sandbox ) and I was just trying to > verify it.
I would recommend checking out SpyProxy, presented at last year's USENIX Security. While it's not a commercial vendor-supported product and has its share of limitations, it does demonstrate that an inline execution-based IDS/IPS proxy may be feasible: http://www.cs.washington.edu/homes/tbragin/spyproxy.pdf Regards, Jon Oberheide -- Jon Oberheide <[EMAIL PROTECTED]> GnuPG Key: 1024D/F47C17FE Fingerprint: B716 DA66 8173 6EDD 28F6 F184 5842 1C89 F47C 17FE
signature.asc
Description: This is a digitally signed message part
