[Snort-users] revealing obfuscated JS fromCharCode

Stephane Chazelas stephane.chazelas at ...11827...
Thu Mar 15 12:24:35 EDT 2012


This perl code:

s/[" ']//g;s/;\w+=\w+\+//g;s/\+//g

Seems to do quite a good job at revealing the obfuscated
fromCharCode and other found in obfuscated exploits related
to BlackHole exploit kits for instance as in:

$ cat a
$ perl -l -0777 -ne 'print for BEFORE, /fromCharCode|parseInt/g; s/[" '\'']//g;s/;\w+=\w+\+//g;s/\+//g;print for AFTER, /fromCharCode|parseInt/g' < a

I'm quite new to snort. Is there any way to do the same in
snort? That is preprocess JS/HTML data to do something similar
before looking for fromCharCode or any JS function that exploits
often try to hide?


More information about the Snort-users mailing list