Tuning for HTML_Script_Extension_Evasion

Technote (FAQ)


Question

What tuning parameters are available for HTML_Script_Extension_Evasion?

Answer

XPU 33.060 (released on June 11, 2013) included a new tuning parameter, pam.html.script.extension.whitelist, that works in conjunction with pam.html.script.extension.blacklist to tune the HTML_Script_Extension_Evasion signature.

HTML_Script_Extension_Evasion will trigger when an HTML <script> tag has a src attribute value with a misleading extension that may evade anti-virus or other security software by misinterpreting the nature of the script file. This signature will trigger on a tag such as <script src='sneaky.jpg'>. Normally, files with .jpg extensions are JPEG images rather than scripts, but a crafty attacker may use .jpg as a script extension to evade detection of an exploit by security software.

By default, the following list of extensions are blacklisted:

  • avi
  • css
  • docx
  • eot
  • gif
  • ico
  • jpeg
  • jpg
  • mid
  • mov
  • mp3
  • mpg
  • pdf
  • png
  • ppt
  • ps
  • swf
  • tif
  • xls

If you would like to exclude (whitelist) any of the above extensions so that they will not trigger HTML_Script_Extension_Evasion, you can add the pam.html.script.extension.whitelist parameter with a value of the extension you would like to exclude. If you would like to exclude multiple extensions, they can be entered in the following format:
  • pam.html.script.extension.whitelist.1=jpg
  • pam.html.script.extension.whitelist.2=mpg
  • pam.html.script.extension.whitelist.x=ppt


If you would like to blacklist any additional extensions that are not in the default list, you can add the pam.html.script.extension.blacklist parameter with a value of the extension you would like to blacklist. To blacklist multiple extensions, they can be entered in the following format:
  • pam.html.script.extension.whitelist.1=txt
  • pam.html.script.extension.whitelist.2=bmp
  • pam.html.script.extension.whitelist.x=rtf



If the above information does not resolve your issue, contact IBM Security Systems Customer Support.


Cross reference information
Segment Product Component Platform Version Edition
Security Proventia Virtualized Network Security Platform Not Applicable Firmware 3.1, 3.3, 4.1, 4.3, 4.4, 4.5, 4.6
Security Proventia Network Multi-Function Security Protocol Analysis Module (PAM) Firmware 3.14, 3.15, 4.1, 4.2, 4.3, 4.4, 4.5, 4.6
Security IBM Security Host Protection General Information AIX, HP-UX, Linux, Windows 2.2.2, 7.0 - SR 4.1, 7.0 - SR 4.2, 7.0 - SR 4.3, 7.0 - SR 4.4, 1.0.0, 1.5.0

Document information


More support for:

IBM Security Network Intrusion Prevention System
Protocol Analysis Module (PAM)

Software version:

1.8, 2.5, 3.3, 4.1, 4.3, 4.4, 4.5, 4.6, 4.6.1, 4.6.2

Operating system(s):

Firmware

Reference #:

1641106

Modified date:

2013-06-18

Translate my page

Content navigation