This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Howto filter javascript in mail-data?

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Howto filter javascript in mail-data?

mhuels
L3 Networker

‎05-30-2011 07:04 AM

It seems to be not possible to write a custom signature, which filters out javascript in mails.

The challenge is to avoid something like that:

#> telnet server 25

helo willi

mail from:<otto@lbsost.de>
rcpt to:<m.huels@lbswast.de>
data
From: Mannis Emailcheck <otto@lbsost.de>
To: willi@lbswist.de
X-Mailer: Mein Mailer 
Subject: test fuer javascript
MIME-Version: 1.0
Content-Type: text/html; charset=iso-8859-1
Content-Transfer-Encoding: 7bit
X-Real-Name: otto.lbsost.de

<html>
<body>
<A HREF="javascript:void(0)"
onclick="window.open('http://www.dackel.de','OK-Link')">
OK</A>
<script>alert("Virus - please click here to exploit your computer")</script>

</body>
</html>

.

quit

I tried

.*(220 mail).*(.de ESMTP).*(\x3c\x).*([sS][cC][rR][iI][pP][tT])

as a data pattern. But if i put this data pattern in a data filtering rule, it only filters in attachements and not in the mail text itself.

Defined as spyware or vulnerability signature, you can only set

pattern-match -> smtp-req-argument

pattern-match -> smtp-resp-content

pattern-match -> unknown-req-tcp-payload

I will try and error this parameter in the next days (because its a lengthy process to install new rules on the firewall 😉 and do report the results in this thread.

so long

Manfred

0 Likes Likes
3 REPLIES 3

mhuels
L3 Networker

‎05-30-2011 07:59 AM

pattern-match -> smtp-resp-content does not works.

0 Likes Likes

fredallee
L4 Transporter
In response to mhuels

‎05-30-2011 11:22 PM

I've tried email header and email body pattern matches from the custom data patterns and it's worked in the past. Can you try creating a custom data pattern?

0 Likes Likes

mhuels
L3 Networker
In response to fredallee

‎05-31-2011 01:07 AM

I tried to set the custom data pattern in a data filtering rule, which did not work.

Perhaps PA covers the SMTP header and the data-body in two different matching-machines? If so, i would have to set two patterns. But although ".*(\x3c\x[sS][cC][rR][iI][pP][tT])" has 7 byte, you cannot install it because of beeing too short. ".*(<script)"  and ".*(\x3c\xscript)" are both malformed, "script" has only 6 byte and again would it be not sufficient for this case.

0 Likes Likes
  • 2379 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks