Snort mailing list archives

Previous By Date Next
Previous By Thread Next

revealing obfuscated JS fromCharCode

From: Stephane Chazelas <stephane.chazelas () gmail com>
Date: Thu, 15 Mar 2012 16:24:35 +0000
Hiya,

This perl code:

s/[" ']//g;s/;\w+=\w+\+//g;s/\+//g

Seems to do quite a good job at revealing the obfuscated
fromCharCode and other found in obfuscated exploits related
to BlackHole exploit kits for instance as in:

$ cat a
{zz='eva'+'l';ss=[];if(1){f='fr'+'om'+'Char';f=f+'C'+'ode';}
$ perl -l -0777 -ne 'print for BEFORE, /fromCharCode|parseInt/g; s/[" '\'']//g;s/;\w+=\w+\+//g;s/\+//g;print for AFTER, 
/fromCharCode|parseInt/g' < a
BEFORE
AFTER
fromCharCode

I'm quite new to snort. Is there any way to do the same in
snort? That is preprocess JS/HTML data to do something similar
before looking for fromCharCode or any JS function that exploits
often try to hide?

-- 
Stephane

------------------------------------------------------------------------------
This SF email is sponsosred by:
Try Windows Azure free for 90 days Click Here 
http://p.sf.net/sfu/sfd2d-msazure
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://www.geocrawler.com/redir-sf.php3?list=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: