Focus on IDS
CSLID evasion - Client protection Mar 25 2009 02:40PM
Ravi Chunduru (ravi is chunduru gmail com) (2 replies)
RE: CSLID evasion - Client protection Mar 25 2009 06:07PM
Addepalli Srini-B22160 (saddepalli freescale com) (1 replies)
Re: CSLID evasion - Client protection Mar 26 2009 12:31AM
Stuart Staniford (sstaniford FireEye com)

On Mar 25, 2009, at 11:07 AM, Addepalli Srini-B22160 wrote:

> Hi Ravi,
>
> Regular expression based matching (however good they are) on raw data
> does not work in these cases. There are too many variations that are
> possible. You gave one example. But many more are possible as
> javascript
> is a programming language and there are many ways to create a string.
>
> Some support is required in the network devices to decode HTML pages
> and
> java scripts to normalize the data before analyzing rules. I am not
> aware of any IDP device in the market today that does java script and
> HTML page analysis.

We (FireEye) do :-)

Our device is not a general purpose IDS, but, in it's main mode of
use, is oriented to detecting both callbacks of bots, and web-based
installation of bots by drive-by downloads (by monitoring egress
network links). For a typical enterprise, most desktop compromises
are now occurring as a result of the web so this is a fairly useful
set of functionality.

The latter (infection-detection) functionality is pretty new. We do a
two stage analysis - in the first stage, we do a fast parse of the
HTML and Javascript and use a variety of statistical anomaly
techniques to decide that it's suspicious (eg it's clearly
obfuscated). The suspicious stuff is then replayed to an actual
browser/OS/set of plugins in an instrumented virtual machine. That
makes the final decision (which eliminates the false positive problems
that otherwise plague statistical anomaly detection techniques). We
have 6-12 VMs running at all times in the appliance on whatever looks
most suspicious right then.

Stuart Staniford
Chief Scientist, FireEye.

[ reply ]
Re: CSLID evasion - Client protection Mar 25 2009 05:34PM
Stuart Staniford (sstaniford FireEye com)


 

Privacy Statement
Copyright 2010, SecurityFocus