js_data

The js_data option sets the detection cursor to the normalized JavaScript data buffer, which contains data normalized by the new "Enhanced Normalizer". Snort can detect whether JavaScript is present in the message body and then perform normalization on it if so.

Snort's "Enhanced Normalizer" is able to perform the following normalizations:

  • Normalize whitespace
  • Concatenate string literals
  • Unify identifier and property names
  • Expand escaped text

To see the default normalizations enabled, run the following command and look at the http_inspect.js_* configurations:

$ snort --help-module http_inspect

For example, consider the following JavaScript code:

<script>var o = {};

o.__defineGetter__('vuln');</script>

The Enhanced Normalizer will normalize the whitespace as well as unify the variable name to something predictable. If we look at the js_data buffer, we can see exactly that:

[js_data]
00000000  76 61 72 20 76 61 72 5F 30 30 30 30 3D 7B 7D 3B  var var_0000={};
00000010  76 61 72 5F 30 30 30 30 2E 5F 5F 64 65 66 69 6E  var_0000.__defin
00000020  65 47 65 74 74 65 72 5F 5F 28 27 76 75 6C 6E 27  eGetter__('vuln'
00000030  29 3B                                            );

Note that to use this buffer, the http_inspect.js_normalization_depth field must be set in one's Snort configuration:

http_inspect = { js_normalization_depth = depth }

Note: The js_data option is still under active development, so rule-writers should use caution when using it in their rules.

Format:

js_data;

Examples:

js_data;
content:"=new Uint32Array(-1)|3B|";
js_data;
content:"var var_0000={}|3B|o.__defineGetter__(";
js_data;
content:"0xFFFFFFFF";
content:"-1";
bufferlen:<200;