Forum Discussion
Russell_Moore_8
Nimbostratus
NimbostratusActiveSync Windows Phone query decode
I used the following rule to decode and locate the Windows Phone device ID for access control to an ActiveSync/OWA service. The AS protocol allows the query to be plain text or base64 encoded hex. ...
Russell_Moore_8Nimbostratus
NimbostratusUpdated to look for either base64 encoded HEX or plain DeviceID query
when HTTP_REQUEST {
set string_b64encoded [HTTP::query]
if {[catch {b64decode $string_b64encoded} string_b64decoded] == 0 and $string_b64decoded ne ""}{
binary scan $string_b64decoded x4H2 IDlenHEX
scan $IDlenHEX %x IDlenDEC
set IDlen [expr "$IDlenDEC * 2"]
binary scan $string_b64decoded x5H$IDlen HEXdeviceID
set string_sentid [string toupper $HEXdeviceID]
log local0. "EAS deviceID was HEX: $string_sentid"
} else {
set string_sentid [string toupper [URI::query [HTTP::uri] "DeviceId"]]
}
set string_URI [string tolower [HTTP::uri]]
set string_useragent [string toupper [HTTP::header User-Agent]]
set string_requestmethod [HTTP::method]
if { $string_sentid != "" && [class match $string_sentid contains EASDeviceIDAllowed] } {
log local0. "EAS Device ID match ALLOWED: URI: $string_URI DeviceID: $string_sentid Agent: $string_useragent Method: $string_requestmethod"
pool AS-owa.example.com_443
}
else {
log local0. "EAS default no match DENIED: $string_URI DeviceID: $string_sentid Agent: $string_useragent Method: $string_requestmethod"
discard
}
}