RE: CSLID evasion - Client protection

["Addepalli Srini-B22160" <saddepalli () freescale com>]

Hi Ravi,

Regular expression based matching (however good they are) on raw data
does not work in these cases. There are too many variations that are
possible. You gave one example. But many more are possible as javascript
is a programming language and there are many ways to create a string.

Some support is required in the network devices to decode HTML pages and
java scripts to normalize the data before analyzing rules. I am not
aware of any IDP device in the market today that does java script and
HTML page analysis. Eventually, they need to if they claim to provide
client protection. It would be interesting to see the processing
requirements to do this kind of deep data analysis.

Srini



-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Ravi Chunduru
Sent: Wednesday, March 25, 2009 7:41 AM
To: Focus-Ids Mailing List
Subject: CSLID evasion - Client protection

In many cases, ActiveX CLSID is sent in HTML pages as a simple string
such as

CLSID:06723E09-F4C2-43c8-835d-09FCD1DB0766

To evade detection by intermediate security devices, clsid information
can be sent as java script which looks like this:

<script>
var object1=document.createElement('object');
object1.setAttribute("CLSID",
"C"+"L"+"S"+"ID:"+"06723E09-F"+"4C2-43c8-835d-09FCD1DB0766");
****Evasion***
xyz = object1.CreateObject(....)
....

Above evasion can have any combination of characters.

How can one go about writing rules to detect these evasions?  Does
PCRE good enough for this? I thought that it can't be done by PCRE
expressions and it requires some code support in IDP sensors.  What do
you think?


Thanks
Ravi