Главная

Tuesday, 2 January 2018

Unicode-decoder for ReaslSecure ISSED.

Hi all.

A few years ago I wrote some words  about IBM SiteProtector. It was next version of IDS after RealSecure. I remembered that I used my SQL queries, which I have written myself for monitoring of security. But I had one problem with reading parameter URI from ISSED database (MSDE 2000). I mean this URI string appeared in database as Unicode. So it was as %D0%BA%D0%BE%D1 in my morning report. It doesn't readable on the fly.

This situation doesn't permit us to make quick analysis. So I decided to add Unicode-decoder in my code. I used JScript.


This is command line for OSQL-utility:
osql -n -E -d ISSED -i ev40.sql -o ev40.log -w 840


This is ev40.sql query code:
select
e.EventDate,
e.OrigEventName,
e.DisplaySrcIPAddress, e.DisplayDestIPAddress,
ep.EventID, ParamValue
from Events e, EventParams ep, EventDay d
where
e.EventID = ep.EventID and
e.OrigEventName like 'HTTP_%' and
d.DayID = e.DayID and
(ep.ParamName = ':URL' or
 ep.ParamName = ':field_value'
 or
 ep.ParamName = ':arg')
and
 ep.ParamValue like '%http%'
and
(d.CurrentDate = '09.13.2015')

And this is DecodeEv40.js  for decode process.               
/*******************************************************************/
/* Name: DecodeEv40.js                                             */
/* Language: JScript                                               */
/* Purpose: decode URI string in RealSecure events DB              */
/*******************************************************************/
var FSO,F,F0, TextStream,TS, hname;
var ForReading = 1,
    ForWriting = 2,
    TristateUseDefault = -2;
FSO=WScript.CreateObject("Scripting.FileSystemObject");
FSO.CreateTextFile("ev40decode.log");
F=FSO.GetFile("ev40decode.log");
TextStream=F.OpenAsTextStream(ForWriting, TristateUseDefault);
F0=FSO.GetFile("ev40.log");
TS=F0.OpenAsTextStream(ForReading, TristateUseDefault);
TextStream.WriteLine(TS.ReadLine());
  while (!TS.AtEndOfStream)
  {
  hname=TS.ReadLine();
  try
    {
     hname = decodeURI(hname);
     hname = decodeURI(hname);
     hname = unescape(hname);
    }
  catch (e)
     {
     if (e != 0)
     TextStream.WriteLine("Error during decode URI!");
     }

  TextStream.WriteLine(hname);
  }
TS.Close();
TextStream.Close();


This is command line for run DecodeEv40.js:
cscript DecodeEv40.js


You should be surpise why I use two calls of DecodeURI function and one call of Unescape function. It was surprise for me too, but it works correctly.)


See you later.

No comments:

Post a Comment

А что вы думаете по этому поводу?