Snort mailing list archives
revealing obfuscated JS fromCharCode
From: Stephane Chazelas <stephane.chazelas () gmail com>
Date: Thu, 15 Mar 2012 16:24:35 +0000
Hiya, This perl code: s/[" ']//g;s/;\w+=\w+\+//g;s/\+//g Seems to do quite a good job at revealing the obfuscated fromCharCode and other found in obfuscated exploits related to BlackHole exploit kits for instance as in: $ cat a {zz='eva'+'l';ss=[];if(1){f='fr'+'om'+'Char';f=f+'C'+'ode';} $ perl -l -0777 -ne 'print for BEFORE, /fromCharCode|parseInt/g; s/[" '\'']//g;s/;\w+=\w+\+//g;s/\+//g;print for AFTER, /fromCharCode|parseInt/g' < a BEFORE AFTER fromCharCode I'm quite new to snort. Is there any way to do the same in snort? That is preprocess JS/HTML data to do something similar before looking for fromCharCode or any JS function that exploits often try to hide? -- Stephane ------------------------------------------------------------------------------ This SF email is sponsosred by: Try Windows Azure free for 90 days Click Here http://p.sf.net/sfu/sfd2d-msazure _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://www.geocrawler.com/redir-sf.php3?list=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- revealing obfuscated JS fromCharCode Stephane Chazelas (Mar 16)