From: Oleksii Shumeiko -X (oshumeik - SOFTSERVE INC at Cisco) Date: Mon, 12 Dec 2022 19:22:43 +0000 (+0000) Subject: Pull request #3699: doc: update user/js_norm.txt for PDF in email protocols X-Git-Tag: 3.1.49.0~5 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=38128a3d788667c98acfa59ed33b71cd1898dddb;p=thirdparty%2Fsnort3.git Pull request #3699: doc: update user/js_norm.txt for PDF in email protocols Merge in SNORT/snort3 from ~OSERHIIE/snort3:doc_jsn_others to master Squashed commit of the following: commit ffcf5576295b519ce8c3feb8d35606a42de9aac2 Author: Oleksandr Serhiienko Date: Thu Dec 8 12:33:48 2022 +0100 doc: update user/js_norm.txt for PDF in email protocols --- diff --git a/doc/user/js_norm.txt b/doc/user/js_norm.txt index 4d00b2ab5..dd250078f 100644 --- a/doc/user/js_norm.txt +++ b/doc/user/js_norm.txt @@ -1,6 +1,6 @@ One of the improvements in Snort 3 is Enhanced JavaScript Normalizer which has its own module and can be used with any service inspectors where JavaScript code might occur. -Currently it is only used by HTTP inspector. +Currently it is supported for the following inspectors: HTTP, SMTP, IMAP, POP. ==== Overview @@ -15,15 +15,15 @@ Having 'js_norm' module configured and ips option 'js_data' in the rules automat enables Enhanced Normalizer. The Enhanced Normalizer can normalize JavaScript embedded in HTML (inline scripts), -in separate .js files (external scripts), and JavaScript embedded in PDF files sent over HTTP. -It supports scripts over multiple PDUs. It is a stateful JavaScript whitespace and identifiers -normalizer. Normalizer concatenates string literals whenever it's possible to do. This also works -with any other normalizations that result in string literals. All JavaScript identifier names, -except those from the ignore lists, will be substituted with unified names in the following -format: var_0000 -> var_ffff. The Normalizer tries to expand escaped text, so it will appear in -a readable form in the output. When such text is a parameter of an unescape function, the entire -function call will be replaced by the unescaped string. Moreover, Normalizer validates the syntax -concerning ECMA-262 Standard, including scope tracking and restrictions for script elements. +in separate .js files (external scripts), and JavaScript embedded in PDF files sent over HTTP/1, +HTTP/2, SMTP, IMAP and POP3 protocols. It supports scripts over multiple PDUs. It is a stateful +JavaScript whitespace and identifiers normalizer. Normalizer concatenates string literals whenever +it's possible to do. This also works with any other normalizations that result in string literals. +All JavaScript identifier names, except those from the ignore lists, will be substituted with unified +names in the following format: var_0000 -> var_ffff. The Normalizer tries to expand escaped text, so +it will appear in a readable form in the output. When such text is a parameter of an unescape function, +the entire function call will be replaced by the unescaped string. Moreover, Normalizer validates the +syntax concerning ECMA-262 Standard, including scope tracking and restrictions for script elements. Check with the following options for more configurations: bytes_depth, identifier_depth, max_tmpl_nest, max_bracket_depth, max_scope_depth, ident_ignore, prop_ignore. @@ -172,7 +172,8 @@ a missed normalization context is detected and 154:8 built-in alert is raised. Further normalization is not possible for the script. For example: - alert http (msg:"JavaScript in HTTP"; js_data; content:"var var_0000=1;"; sid:1;) + alert http (msg:"JS in HTTP"; js_data; content:"var var_0000"; sid:1;) + alert smtp (msg:"JS in SMTP"; js_data; content:"var var_0000"; sid:2;) ===== js_data