In many cases, ActiveX CLSID is sent in HTML pages as a simple string such as
CLSID:06723E09-F4C2-43c8-835d-09FCD1DB0766
To evade detection by intermediate security devices, clsid information
can be sent as java script which looks like this:
<script>
var object1=document.createElement('object');
object1.setAttribute("CLSID",
"C"+"L"+"S"+"ID:"+"06723E09-F"+"4C2-43c8-835d-09FCD1DB0766");
****Evasion***
xyz = object1.CreateObject(....)
....
Above evasion can have any combination of characters.
How can one go about writing rules to detect these evasions? Does
PCRE good enough for this? I thought that it can't be done by PCRE
expressions and it requires some code support in IDP sensors. What do
you think?
Thanks
Ravi
