[Dshield] Filtering javascript

traef06 RAEF traef06 at msn.com
Wed Jun 13 11:40:24 GMT 2007


I'm not the greatest regex writer in the world but here's what I've been using:
 
################################################################################ block javascript document.write################################################################################FILTER: js-document-writes/document\.write\s*(\(|&\#40;)['"(&quot;)(&\#34;)(&\#44;)<(&lt;)(\%3c)(&\#60;)>(&gt;)(\%3E)(&\#62;)\w =(&\#61;):(&\#58;)(\%3A)\+(&\#43;)\/(&\#47;)(\%2F)\\(&\#92;)(\%5C)\.(&\#46;)\((&\#40;)\)(&\#41;)\!(&\#33;)\?(&\#63;)(\%3F)\&(&\#38;)(\%26)\#(\%23)(&\#35;)(&\#45;)-]*/document.wr1te("")/gi#s/\.write \(/.wr1te( /gis/document\.writeln\(['"<>\w =:\+\/\\\.\(\)\.\!\?\&\#-]*/document.writeln("")/gis/ms-its/mis-fits/gis/(\"|'|&quot;|&\#34;)*cid:['\"]*?[^'\"]*?(\"|'|&quot;|&\#34;)/cid:privoxy/gi#s/dynsrc=[\"|'|&quot;|&#34;]*[^'\"]*?[\"|'|&quot;|&#34;]/dynsrc=""/gis/dynsrc/dumsrc/gis/\.regwrite/\.regwrong/gis/\.regread/\.regreed/gis/\.regdelete/\.regdeleet/gis/shell:windows/snell:widnows/gis/shellexecute/snellexicute/gis/\"shell\.application\"/\"snell\.applicator\"/gis/execScript/execiScript/gis/JScript\.Encode/TJScript\.Decode/gis/command(;|&\#59;)file(:|&\#58;)(\/|&\#47;)*C(:|&\#58;)/commando;fool:\/\/Z:/gi
######################################################################
 
In addition I have been building a similar rule to rewrite decode and all of it's variations. You'll notice that what I have it doing is to rewrite the javascript to something harmless. I'm working on writing a perl script that will examine the logs and where it finds these rewritten lines, it will deposit the IP address or URL into a separate file so that I can further examine that site. If I find malware, I'll take the steps to have it removed or blocked.
 
Any expert regex'ers out there care to critique my code above?
 
With my current setup I can whitelist sites so they don't get filtered. But I keep this list to sites like; microsoft.com, adobe.com, macromedia.com, apple.com, etc. 
 
Comments, criticisms, suggestions are always welcome!Thomas J. Raef e-Based Security, Inc. (847)833-5666 traef06 at msn.com "You're either hardened or you're hacked!"> Date: Tue, 12 Jun 2007 19:47:56 -0400> From: mooyix at gmail.com> To: list at lists.dshield.org> Subject: Re: [Dshield] Filtering javascript> CC: traef06 at msn.com> > I'm curious to know what you both are using as well; how do such> detection/blocking methods fare against obfuscation techniques such as> VoMM (http://aviv.raffon.net/2006/10/15/VoMMTakingBrowserExploitsToTheNextLevel.aspx)> ?> > -Brendan> > On 6/12/07, Paul Melson <pmelson at gmail.com> wrote:> > > I've also blocked decode statements. My feeling is that if you feel you> > have something to hide, I don't> > > want it.> >> > I tend to concur. We monitor web traffic for patterns indicative of> > JavaScript obfuscation. All of them has either been an exploit/dropper or a> > web ad. Either way, nothing that would be missed.> >> > What are you using to perform filtering?> >> > PaulM> >> >> >> > _________________________________________> > SANSFIRE 2007 July 25-August 2 in Washington, DC. 56 courses, SANS top> > instructors, and a great tools and solutions expo. Register today!> > http://www.sans.org/info/4651 (brochure code ISC)> >


More information about the list mailing list