"Fossies" - the Fresh Open Source Software Archive  

Source code changes of the file "src/service_inspectors/http_inspect/dev_notes.txt" between
snort3-3.1.29.0.tar.gz and snort3-3.1.30.0.tar.gz

About: Snort 3 is a network intrusion prevention and detection system (IDS/IPS) combining the benefits of signature, protocol and anomaly-based inspection.

dev_notes.txt  (snort3-3.1.29.0):dev_notes.txt  (snort3-3.1.30.0)
skipping to change at line 230 skipping to change at line 230
subsequent bytes in a stream mode, until it finds a closing tag. subsequent bytes in a stream mode, until it finds a closing tag.
It proceeds and scans the entire message body for inline scripts. It proceeds and scans the entire message body for inline scripts.
Enhanced Normalizer is a stateful JavaScript whitespace and identifiers normaliz er. Enhanced Normalizer is a stateful JavaScript whitespace and identifiers normaliz er.
Normalizer will remove all extraneous whitespace and newlines, keeping a single space where Normalizer will remove all extraneous whitespace and newlines, keeping a single space where
syntactically necessary. Comments will be removed, but contents of string litera ls will syntactically necessary. Comments will be removed, but contents of string litera ls will
be kept intact. Any string literals, added by the plus operator, be kept intact. Any string literals, added by the plus operator,
will be concatenated. This also works for functions that result in string will be concatenated. This also works for functions that result in string
literals. Semicolons will be inserted, if not already present, according to ECMA Script literals. Semicolons will be inserted, if not already present, according to ECMA Script
automatic semicolon insertion rules. automatic semicolon insertion rules.
All JavaScript identifier names, except those from the ignore list, All JavaScript identifier names, except those from the ident_ignore or prop_igno re lists,
will be substituted with unified names in the following format: var_0000 -> var_ ffff. will be substituted with unified names in the following format: var_0000 -> var_ ffff.
So, the number of unique identifiers available is 65536 names per HTTP transacti on. So, the number of unique identifiers available is 65536 names per HTTP transacti on.
If Normalizer overruns the configured limit, built-in alert is generated. If Normalizer overruns the configured limit, built-in alert is generated.
A config option to set the limit manually: A config option to set the limit manually:
* http_inspect.js_norm_identifier_depth. * http_inspect.js_norm_identifier_depth.
Identifiers from the ignore list will be placed as is, without substitution. Sta rting with Identifiers from the ident_ignore list will be placed as is, without substitutio n. Starting with
the listed identifier, any chain of dot accessors, brackets and function calls w ill be kept the listed identifier, any chain of dot accessors, brackets and function calls w ill be kept
intact. intact.
For example: For example:
* console.log("bar") * console.log("bar")
* document.getElementById("id").text * document.getElementById("id").text
* eval("script") * eval("script")
* foo["bar"] * foo["bar"]
Ignored identifiers are configured via the following config option, Ignored identifiers are configured via the following config option,
it accepts a list of object and function names: it accepts a list of object and function names:
skipping to change at line 260 skipping to change at line 260
When a variable assignment that 'aliases' an identifier from the list is found, When a variable assignment that 'aliases' an identifier from the list is found,
the assignment will be tracked, and subsequent occurrences of the variable will be the assignment will be tracked, and subsequent occurrences of the variable will be
replaced with the stored value. This substitution will follow JavaScript variabl e scope replaced with the stored value. This substitution will follow JavaScript variabl e scope
limits. limits.
For example: For example:
var a = console.log var a = console.log
a("hello") // will be substituted to 'console.log("hello")' a("hello") // will be substituted to 'console.log("hello")'
In addition to the scope tracking, JS Normalizer specifically tracks unicode une For properties and methods of objects that can be created implicitly, there is a
scape js_norm_prop_ignore list. All names in the call chain after the first property o
functions(unescape, decodeURI, decodeURIComponent, String.fromCharCode, String.f r
romCodePoint). method from the list has been occurred will not be normalized.
Note that identifiers are normalized by name, i.e. an identifier and a property
with the same name
will be normalized to the same value. However, the ignore lists act separately o
n identifiers
and properties.
For example:
http_inspect.js_norm_prop_ignore = { 'split' }
in: "string".toUpperCase().split("").reverse().join("");
out: "string".var_0000().split("").reverse().join("");
In addition to the scope tracking, JS Normalizer specifically tracks unescape-li
ke JavaScript
functions (unescape, decodeURI, decodeURIComponent, String.fromCharCode, String.
fromCodePoint).
This allows detection of unescape functions nested within other unescape functio ns, which is This allows detection of unescape functions nested within other unescape functio ns, which is
a potential indicator of a multilevel obfuscation. The definition of a function call depends on a potential indicator of a multilevel obfuscation. The definition of a function call depends on
identifier substitution, so such identifiers must be included in the ignore list in identifier substitution, so such identifiers must be included in the ignore list in
order to use this feature. After determining the unescape sequence, it is decode d into the order to use this feature. After determining the unescape sequence, it is decode d into the
corresponding string, and the name of unescape function will not be present in t he output. corresponding string, and the name of unescape function will not be present in t he output.
Single-byte escape sequences within the string and template literals which are a
rguments of
unescape, decodeURI and decodeURIComponent functions will be decoded according t
o ISO/IEC 8859-1
(Latin-1) charset. Except these cases, escape sequences and code points will be
decoded to UTF-8
format.
For example: For example:
unescape('\u0062\u0061\u0072') -> 'bar' unescape('\u0062\u0061\u0072') -> 'bar'
decodeURI('%62%61%72') -> 'bar' decodeURI('%62%61%72') -> 'bar'
decodeURIComponent('\x62\x61\x72') -> 'bar' decodeURIComponent('\x62\x61\x72') -> 'bar'
String.fromCharCode(98, 0x0061, 0x72) -> 'bar' String.fromCharCode(98, 0x0061, 0x72) -> 'bar'
String.fromCodePoint(65600, 65601, 0x10042) -> '𐁀𐁁𐁂' String.fromCodePoint(65600, 65601, 0x10042) -> '𐁀𐁁𐁂'
Supported formats follow Supported formats follow
 End of changes. 4 change blocks. 
6 lines changed or deleted 31 lines changed or added

Home  |  About  |  Features  |  All  |  Newest  |  Dox  |  Diffs  |  RSS Feeds  |  Screenshots  |  Comments  |  Imprint  |  Privacy  |  HTTP(S)