[Snort-sigs] encoded Javascript not being detected

Joseph Gama josephgama at ...144...
Tue Aug 10 16:20:02 EDT 2004


Hi,

I ran some tests and here are my conclusions:

Problem: Some encoding might be used to hide
Javascript code from being detected

The following examples are all identical but encoded
differently:
<IMG src="javascript:alert(123);">
<IMG
src="javascript:%61%6C%65%72%74%28%31%32%33%29%3B">
<IMG
src="javascript:alert(123);">
<IMG
src="javascript:&#x0061;&#x006C;&#x0065;&#x0072;&#x0074;&#x0028;&#x0031;&#x0032;&#x0033;&#x0029;&#x003B;">

This rule should detect alert(123) for demonstrative
purposes only:

alert tcp any any -> any any (msg:"alert(123) found";
content:"alert(123)"; nocase; classtype:misc-activity;
sid:99999; rev:1;)

The rule works fine for alert(123) and
%61%6C%65%72%74%28%31%32%33%29%3B
However, it won't detect the others.

I can have a rule to detect the third case like this:
alert tcp any any -> any any (msg:"alert(123)####
found";
content:"&#97\;&#108\;&#101\;&#114\;&#116\;&#40\;&#49\;&#50\;&#51\;&#41\;&#59\;";
nocase; classtype:misc-activity; sid:99999; rev:1;)

But, in order to detect a mix of the four different
encodings, each rule would need PCRE with plenty of
|'s and it would be necessary to change existing rules
too. That is not the best solution. Which preprocessor
does this change?

Peace,

Joseph Gama


		
__________________________________
Do you Yahoo!?
New and Improved Yahoo! Mail - Send 10MB messages!
http://promotions.yahoo.com/new_mail 




More information about the Snort-sigs mailing list