RE: CSLID evasion - Client protection

Hi Ravi,

Regular expression based matching (however good they are) on raw data
does not work in these cases. There are too many variations that are
possible. You gave one example. But many more are possible as javascript
is a programming language and there are many ways to create a string.

Some support is required in the network devices to decode HTML pages and
java scripts to normalize the data before analyzing rules. I am not
aware of any IDP device in the market today that does java script and
HTML page analysis. Eventually, they need to if they claim to provide
client protection. It would be interesting to see the processing
requirements to do this kind of deep data analysis.

Srini



-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx]
On Behalf Of Ravi Chunduru
Sent: Wednesday, March 25, 2009 7:41 AM
To: Focus-Ids Mailing List
Subject: CSLID evasion - Client protection

In many cases, ActiveX CLSID is sent in HTML pages as a simple string
such as

CLSID:06723E09-F4C2-43c8-835d-09FCD1DB0766

To evade detection by intermediate security devices, clsid information
can be sent as java script which looks like this:

<script>
var object1=document.createElement('object');
object1.setAttribute("CLSID",
"C"+"L"+"S"+"ID:"+"06723E09-F"+"4C2-43c8-835d-09FCD1DB0766");
****Evasion***
xyz = object1.CreateObject(....)
....

Above evasion can have any combination of characters.

How can one go about writing rules to detect these evasions? Does
PCRE good enough for this? I thought that it can't be done by PCRE
expressions and it requires some code support in IDP sensors. What do
you think?


Thanks
Ravi

Relevant Pages

  • Re: Firefox question about pop-up menus
    ... Usually those pages also require java script, ... are so many errors in their html. ... Annoying web pages won't get better unless companies/maintainers get an ... To UNSUBSCRIBE, email to debian-user-REQUEST@xxxxxxxxxxxxxxxx ...
    (Debian-User)
  • Re: Firefox question about pop-up menus
    ... Usually those pages also require java script, ... are so many errors in their html. ... Try using the Read Easily add-on. ... To UNSUBSCRIBE, email to debian-user-REQUEST@xxxxxxxxxxxxxxxx ...
    (Debian-User)
  • Re: java script
    ... Don't do it in design view. ... I deleted the html in a new page and copy and pasted the html into the ... Like most designers they have little or knowledge of Front Page and HATE ... It seems that the code has java script. ...
    (microsoft.public.frontpage.programming)
  • Re: Using COM object from HTML or JavaScript
    ... > I wanted to use a COM interface from a HTML page or from a JAVA Script. ... HTML is a markup language, ... JavaScript doesn't understand COM. ...
    (alt.html)
Quantcast