dxp wrote:
> You forgot to mention another good signature "Javascript_NOOP_Sled". It
> used to provide decent detection about a year ago, now it's useless
> against obfuscated code.
And it was very easy to guess it would end like this.
Generic "shellcode" signatures worked only as long as the bad guys
didn't get the point that they were substantially useless. Javascript is
going down the same route. Amazing how things never change and how we
love getting fscked always in the same way :)
> However, all these ISS Javascript script signatures have a very high
> False Positive rate. Since you work for IBM perhaps you can get this
> across to the right people.
You cannot really do them "right", because the less false positives you
generate, the less true positives you hit. You are better off just
disabling such sigs.
My .02 EUR (which is close to .03USD these days)
Stefan
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaig
n=intro_sfw
to learn more.
------------------------------------------------------------------------
> You forgot to mention another good signature "Javascript_NOOP_Sled". It
> used to provide decent detection about a year ago, now it's useless
> against obfuscated code.
And it was very easy to guess it would end like this.
Generic "shellcode" signatures worked only as long as the bad guys
didn't get the point that they were substantially useless. Javascript is
going down the same route. Amazing how things never change and how we
love getting fscked always in the same way :)
> However, all these ISS Javascript script signatures have a very high
> False Positive rate. Since you work for IBM perhaps you can get this
> across to the right people.
You cannot really do them "right", because the less false positives you
generate, the less true positives you hit. You are better off just
disabling such sigs.
My .02 EUR (which is close to .03USD these days)
Stefan
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaig
n=intro_sfw
to learn more.
------------------------------------------------------------------------
[ reply ]