Hi Ravi, Regular expression based matching (however good they are) on raw data does not work in these cases. There are too many variations that are possible. You gave one example. But many more are possible as javascript is a programming language and there are many ways to create a string.
Some support is required in the network devices to decode HTML pages and java scripts to normalize the data before analyzing rules. I am not aware of any IDP device in the market today that does java script and HTML page analysis. Eventually, they need to if they claim to provide client protection. It would be interesting to see the processing requirements to do this kind of deep data analysis. Srini -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Ravi Chunduru Sent: Wednesday, March 25, 2009 7:41 AM To: Focus-Ids Mailing List Subject: CSLID evasion - Client protection In many cases, ActiveX CLSID is sent in HTML pages as a simple string such as CLSID:06723E09-F4C2-43c8-835d-09FCD1DB0766 To evade detection by intermediate security devices, clsid information can be sent as java script which looks like this: <script> var object1=document.createElement('object'); object1.setAttribute("CLSID", "C"+"L"+"S"+"ID:"+"06723E09-F"+"4C2-43c8-835d-09FCD1DB0766"); ****Evasion*** xyz = object1.CreateObject(....) .... Above evasion can have any combination of characters. How can one go about writing rules to detect these evasions? Does PCRE good enough for this? I thought that it can't be done by PCRE expressions and it requires some code support in IDP sensors. What do you think? Thanks Ravi
