On Fri, 17 Sep 2010, John Hardin wrote:
On Fri, 17 Sep 2010, Joseph Brennan wrote:> On fre 17 sep 2010 00:30:27 CEST, Chris Owen wrote > > 1) From yahoo.com > > 2) Have a HTML attachment > > 3) Are base64 encoded The html includes something like this, inside a comment. It's really over a hundred escaped characters: document.write(unescape("%3C%53%43%52%49%50%54%20%4C and I think this matches it: /document\.write\(unescape\(\"(\%..\%){10,}/ This seems to need a RAWBODY check to match. That's as far as I've got.Adding to my sandbox for masscheck: rawbody HTML_OBFU_ESC /document\.write\(unescape\("(?:%[0-9a-f]{2}){10}/i
It performs pretty well. It should be in the next rules update, under a slightly different name (OBFU_JVSCR_ESC).
-- John Hardin KA7OHZ http://www.impsec.org/~jhardin/ jhar...@impsec.org FALaholic #11174 pgpk -a jhar...@impsec.org key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79 ----------------------------------------------------------------------- Gun Control laws aren't enacted to control guns, they are enacted to control people: catholics (1500s), japanese peasants (1600s), blacks (1860s), italian immigrants (1911), the irish (1920s), jews (1930s), blacks (1960s), the poor (always) ----------------------------------------------------------------------- Today: Talk Like a Pirate day
