You forgot to mention another good signature "Javascript_NOOP_Sled". It used to provide decent detection about a year ago, now it's useless against obfuscated code. However, all these ISS Javascript script signatures have a very high False Positive rate. Since you work for IBM perhaps you can get this across to the right people.
Strangely enough, current IDS vendors/devices are lacking behind in providing adequate detection for various obfuscation methods used by the most popular exploit toolkits. On a practical note, it is relatively easy to create signatures to detect these techniques, especially if one considers the unique characteristics of each toolkit. Although this will be a rather short term solution, until those guys modify the toolkits, but the reality is that they (toolkit writers) tend to copy each other's work rather then creating custom, unique solutions. Bottom line is, it is good to collaborate and work on a long term solution, but failing to provide detection for the current threat landscape is irresponsible. On Mon, 2008-02-18 at 15:32 +0000, [EMAIL PROTECTED] wrote: > Hi, I work for IBM Internet Security Systems and was involved in the creation > of the 2007 trend report. I agree that the host is the place where you need > to solve this problem. De-obfuscating traffic as a network device certainly > would have performance issues. Someone had asked if the Proventia line had > something to address this issue, so I thought I'd clear that up. Our IPS > products do have a handful of signatures that look for Javascript obfuscation > (JavaScript_Unescape_Regex, JavaScript_Large_Unescape, > JavaScript_Unescape_Obfuscation). > > > Also, I'd like to apologize for that marketing slick that touts our IPS as > being a solution for Phishing. Although there are ways you can get an IPS to > address some issues related to phishing and spam, it is obviously not > designed to be a wholesale solution for that kind of problem.... that's why > we have a market for content (email/web) products! I actually had a meeting > a few weeks ago with the marketing folks to have that removed, so having > someone make fun of it on this list is pretty timely. :) > > > > -Holly > > > Holly Stewart > > Product Manager, X-Force and XFTAS > > IBM Internet Security Systems > > Atlanta, GA -- -=[ dxp ]=- 0xA3F3C6E3 ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
