Forum Discussion
Russell_Moore_8
Nimbostratus
NimbostratusActiveSync Windows Phone query decode
I used the following rule to decode and locate the Windows Phone device ID for access control to an ActiveSync/OWA service. The AS protocol allows the query to be plain text or base64 encoded hex. ...
Russell_Moore_8Nimbostratus
Nimbostratus when HTTP_REQUEST {
create variable to contain the query string
set string_b64encoded [HTTP::query]
test the contents of the query string to see if it is base64 and if so place the content
in a variable
if {[catch {b64decode $string_b64encoded} string_b64decoded] == 0 and $string_b64decoded ne ""}{
scan the decoded content for the Device ID length
the "x4H2" format says to move forward 4 bytes and select the next 2 places
as HEX and put them in varible IDlenHEX
binary scan $string_b64decoded x4H2 IDlenHEX
convert HEX to decimal
scan $IDlenHEX %x IDlenDEC
multiply by two to get the correct character count
set IDlen [expr "$IDlenDEC * 2"]
knowing the DeviceID starts at the 6th pair we move "x5" to the that starting place
then select "H$IDlen" to put in variable HEXdeviceID
binary scan $string_b64decoded x5H$IDlen HEXdeviceID
try to match the found ID to a data group of allowed IDs
if { [matchclass $HEXdeviceID contains allowHEXdeviceIDs] } {
pool ASOWA.example.com_443
log local0. "Found ALLOWED Hexadecimal DeviceID: $HEXdeviceID"
} else {
log local0. "Found DENIED Hexadecimal DeviceID: $HEXdeviceID"
discard
}
}
}
