IDS mailing list archives
RE: CSLID evasion - Client protection
From: "Addepalli Srini-B22160" <saddepalli () freescale com>
Date: Wed, 25 Mar 2009 11:07:33 -0700
Hi Ravi, Regular expression based matching (however good they are) on raw data does not work in these cases. There are too many variations that are possible. You gave one example. But many more are possible as javascript is a programming language and there are many ways to create a string. Some support is required in the network devices to decode HTML pages and java scripts to normalize the data before analyzing rules. I am not aware of any IDP device in the market today that does java script and HTML page analysis. Eventually, they need to if they claim to provide client protection. It would be interesting to see the processing requirements to do this kind of deep data analysis. Srini -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Ravi Chunduru Sent: Wednesday, March 25, 2009 7:41 AM To: Focus-Ids Mailing List Subject: CSLID evasion - Client protection In many cases, ActiveX CLSID is sent in HTML pages as a simple string such as CLSID:06723E09-F4C2-43c8-835d-09FCD1DB0766 To evade detection by intermediate security devices, clsid information can be sent as java script which looks like this: <script> var object1=document.createElement('object'); object1.setAttribute("CLSID", "C"+"L"+"S"+"ID:"+"06723E09-F"+"4C2-43c8-835d-09FCD1DB0766"); ****Evasion*** xyz = object1.CreateObject(....) .... Above evasion can have any combination of characters. How can one go about writing rules to detect these evasions? Does PCRE good enough for this? I thought that it can't be done by PCRE expressions and it requires some code support in IDP sensors. What do you think? Thanks Ravi
Current thread:
- CSLID evasion - Client protection Ravi Chunduru (Mar 25)
- Re: CSLID evasion - Client protection Stuart Staniford (Mar 25)
- RE: CSLID evasion - Client protection Addepalli Srini-B22160 (Mar 25)
- Re: CSLID evasion - Client protection Stuart Staniford (Mar 26)
- <Possible follow-ups>
- Re: CSLID evasion - Client protection ushacker20002001 (Mar 25)