On Thu, 2008-02-14 at 16:17 -0500, Gary Flynn wrote: > Tim wrote: > > The specific issue of JavaScript obfuscation drives this point home > > quite well. IMO, it is unlikely that any IDS engine could implement > > the beast that is ECMAScript and all of it's children and still be safe > > while reliably detecting attacks. It approaches issues similar to the > > halting problem. > > I suspect that no vendors support this feature ( actual code > execution in some sort of sandbox ) and I was just trying to > verify it.
Also on Thu, 2008-02-14 at 16:05 -0500, Gary Flynn wrote: > Libershal, David M. wrote: > > The TippingPoint IPS has 8 filters that deal with obfuscated code - 4 for > > http packets and 2 for SMTP traffic. > > I've seen signatures in other products that detect standard > encodings of things like shellcode. Is this what it is > doing? Oddly enough, I just published a paper on shellcode encoding for evading network security/monitoring systems that cites two different projects that attempt to do this type of thing for shellcode in real-time in a sandbox environment, however they both were not ID/PS systems: http://www.uninformed.org/?v=9&a=3&t=sumry -- Dustin D. Trammell Security Researcher BreakingPoint Systems, Inc.
signature.asc
Description: This is a digitally signed message part
