From: Oleksii Shumeiko -X (oshumeik - SOFTSERVE INC at Cisco) Date: Tue, 13 Dec 2022 18:42:35 +0000 (+0000) Subject: Pull request #3701: doc: add decompression mention to js_norm reference X-Git-Tag: 3.1.49.0~3 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=1cc55676e50bd74e4736fff590d9ca3859eab121;p=thirdparty%2Fsnort3.git Pull request #3701: doc: add decompression mention to js_norm reference Merge in SNORT/snort3 from ~DKYRYLOV/snort3:doc_js_pdf_stream to master Squashed commit of the following: commit f87c4484534feaca0495aef61aa35564ed1a1f53 Author: dkyrylov Date: Mon Dec 12 08:54:23 2022 +0200 doc: add decompression mention to js_norm reference --- diff --git a/doc/user/js_norm.txt b/doc/user/js_norm.txt index dd250078f..2e5d700c7 100644 --- a/doc/user/js_norm.txt +++ b/doc/user/js_norm.txt @@ -24,6 +24,8 @@ names in the following format: var_0000 -> var_ffff. The Normalizer tries to exp it will appear in a readable form in the output. When such text is a parameter of an unescape function, the entire function call will be replaced by the unescaped string. Moreover, Normalizer validates the syntax concerning ECMA-262 Standard, including scope tracking and restrictions for script elements. +JavaScript, embedded in PDF files, has to be decompressed before normalization. For that, +decompress_pdf = true option has to be set in configuration of appropriate service inspectors. Check with the following options for more configurations: bytes_depth, identifier_depth, max_tmpl_nest, max_bracket_depth, max_scope_depth, ident_ignore, prop_ignore. @@ -43,7 +45,7 @@ provide extra features, tweak how things are done, or conserve resources by doing less. Also, there are default lists of ignored identifiers and object properties provided. -To get a complete default configuration, use 'default_js_norm' from lua/snort_default.lua +To get a complete default configuration, use 'default_js_norm' from $SNORT_LUA_PATH/snort_defaults.lua by adding: js_norm = default_js_norm