Focus on IDS
CSLID evasion - Client protection Mar 25 2009 02:40PM
Ravi Chunduru (ravi is chunduru gmail com) (2 replies)
In many cases, ActiveX CLSID is sent in HTML pages as a simple string such as

CLSID:06723E09-F4C2-43c8-835d-09FCD1DB0766

To evade detection by intermediate security devices, clsid information
can be sent as java script which looks like this:

<script>
var object1=document.createElement('object');
object1.setAttribute("CLSID",
"C"+"L"+"S"+"ID:"+"06723E09-F"+"4C2-43c8-835d-09FCD1DB0766");
****Evasion***
xyz = object1.CreateObject(....)
....

Above evasion can have any combination of characters.

How can one go about writing rules to detect these evasions? Does
PCRE good enough for this? I thought that it can't be done by PCRE
expressions and it requires some code support in IDP sensors. What do
you think?

Thanks
Ravi

[ reply ]
RE: CSLID evasion - Client protection Mar 25 2009 06:07PM
Addepalli Srini-B22160 (saddepalli freescale com) (1 replies)
Re: CSLID evasion - Client protection Mar 26 2009 12:31AM
Stuart Staniford (sstaniford FireEye com)
Re: CSLID evasion - Client protection Mar 25 2009 05:34PM
Stuart Staniford (sstaniford FireEye com)


 

Privacy Statement
Copyright 2010, SecurityFocus