MediumProventia Network MFS, IBM Security Server Protection for Windows, Proventia Network IDS, Proventia-G 1.1 and earlier, RealSecure Network, RealSecure Server Sensor, BlackICE PC Protection, BlackICE Server Protection, Proventia Desktop, Proventia Network IPS, Proventia Server IPS for Linux technology, Virtual Server Protection for Vmware:
This event triggers when a JavaScript 'unescape()' function with a large amount of escaped data is detected. This activity should be viewed with suspicion. It may be normal activity, or it could indicate the attempt to inject a large amount of shell code or malicious HTML and/or JavaScript for the purpose of taking control of a system through a browser vulnerability.
This signature detects an 'unescape' JavaScript function with a large amount of escaped data. This activity should be viewed with suspicion. It may be normal activity, or it could indicate the attempt to inject a large amount of shell code or malicious HTML and/or JavaScript for the purpose of taking control of a system through a browser bug.
Proventia Network MFS, IBM Security Server Protection for Windows, Proventia Network IDS, Proventia-G 1.1 and earlier, RealSecure Network, RealSecure Server Sensor, BlackICE PC Protection, BlackICE Server Protection, Proventia Desktop, Proventia Network IPS, Proventia Server IPS for Linux technology, Virtual Server Protection for Vmware: Usage of the 'unescape()' function containing large amounts of non-malicious but encoded data will cause this event to trigger.
Legitimate usages of the 'unescape' function will cause this signature to but trigger.
Some legitimate usages of the 'unescape' function may cause this signature to trigger.
Proventia Network MFS, IBM Security Server Protection for Windows, Proventia Network IDS, Proventia-G 1.1 and earlier, RealSecure Network, RealSecure Server Sensor, BlackICE PC Protection, BlackICE Server Protection, Proventia Desktop, Proventia Network IPS, Proventia Server IPS for Linux technology, Virtual Server Protection for Vmware: Very small, but potentially malicious 'unescape()' instances, will not trigger this event.
Very small, but potentially malicious 'unescape' instances, will not trigger this event.
Medium
Proventia Network MFS: XPU 28.010, IBM Security Server Protection for Windows: 1.0.914.2140, IBM Security Server Protection for Windows: 2.0.252.2140, IBM Security Server Protection for Windows: 2.1.14.2400, Proventia Network IDS: XPU 28.010, Proventia-G 1.1 and earlier: XPU 28.010, RealSecure Network: XPU 28.010, RealSecure Server Sensor: XPU 28.010, BlackICE PC Protection: 3.6cqt, BlackICE Server Protection: 3.6.cqt, Proventia Desktop: 2140, Proventia Network IPS: XPU 28.010, Proventia Server IPS for Linux technology: 28.010, Virtual Server Protection for Vmware: 1.0
IBM AIX, WindRiver BSDOS, SGI IRIX, Linux Kernel, Sun Solaris, IBM OS2, Microsoft Windows 95, Data General DG/UX, Microsoft Windows NT: 4.0, Microsoft Windows 98, SCO SCO Unix, Microsoft Windows 98SE, Microsoft Windows 2000, Microsoft Windows Me, Compaq Tru64, Microsoft Windows XP, Microsoft Windows 2003 Server, Apple Mac OS X
Suspicious Activity
JavaScript function unescape() is used to translate escaped (or encoded) data into normal strings. A large number of escaped patterns have been detected within an unescape() function. This could indicate an attempt to take control of a system, or it may indicate attempt to obfuscate benign JavaScript or HTML instructions.
Investigate the source data which triggers the event and block the traffic.
ISS X-Force
JavaScript large number of unescape patterns detected
http://www.iss.net/security_center/static/39049.php