IDS mailing list archives

CSLID evasion - Client protection

From: Ravi Chunduru <ravi.is.chunduru () gmail com>
Date: Wed, 25 Mar 2009 07:40:45 -0700

In many cases, ActiveX CLSID is sent in HTML pages as a simple string such as

CLSID:06723E09-F4C2-43c8-835d-09FCD1DB0766

To evade detection by intermediate security devices, clsid information
can be sent as java script which looks like this:

<script>
var object1=document.createElement('object');
object1.setAttribute("CLSID",
"C"+"L"+"S"+"ID:"+"06723E09-F"+"4C2-43c8-835d-09FCD1DB0766");
****Evasion***
xyz = object1.CreateObject(....)
....

Above evasion can have any combination of characters.

How can one go about writing rules to detect these evasions?  Does
PCRE good enough for this? I thought that it can't be done by PCRE
expressions and it requires some code support in IDP sensors.  What do
you think?


Thanks
Ravi

Current thread:

CSLID evasion - Client protection Ravi Chunduru (Mar 25)
- Re: CSLID evasion - Client protection Stuart Staniford (Mar 25)
- RE: CSLID evasion - Client protection Addepalli Srini-B22160 (Mar 25)
  - Re: CSLID evasion - Client protection Stuart Staniford (Mar 26)
- <Possible follow-ups>
- Re: CSLID evasion - Client protection ushacker20002001 (Mar 25)