[Dshield] Filtering javascript

Paul Melson pmelson at gmail.com
Wed Jun 13 14:44:44 GMT 2007


> I'm curious to know what you both are using as well; how do such
detection/blocking methods fare against 
> obfuscation techniques such as VoMM 
>
(http://aviv.raffon.net/2006/10/15/VoMMTakingBrowserExploitsToTheNextLevel.a
spx)


I'm using Snort with Bleeding Rules (http://www.bleedingsnort.com/).  As for
using the methods described in Aviv's article to hide browser exploits; the
purpose of these signatures is not to identify individual exploits, but to
find 'shady' JavaScript/VBScript code that may be used to hide an exploit.
So would these IDS signatures do better than your AV client?  Hopefully.
Would they identify specific exploits?  No.  Would they detect or block
scripts that aren't hiding an exploit?  Probably, but based on my
experience, that's OK.  I hate ads anyway.

I have our SIM isolate these alerts for me, so I have the list of sid values
handy:

Bleeding Rules:
2001101
2001105
2001106
2003207
2003400
2003401
2003402
2003403
2002786
2002787
2001811
2001095

Sourcefire Rules:
1840
8058
1667
1082
7071


PaulM



More information about the list mailing list