Russell_Moore_8
May 10, 2012Nimbostratus
ActiveSync Windows Phone query decode
I used the following rule to decode and locate the Windows Phone device ID for access control to an ActiveSync/OWA service. The AS protocol allows the query to be plain text or base64 encoded hex. If you search Google for base64 ActiveSync you'll find the specification for this query method.
This rule works but I am studying it for optimization as I find it a bit ugly myself.
Feedback welcome! (The following code may contain snippets from other contributors for which I do not take credit but thank those contributors)
when HTTP_REQUEST {
create variable to contain the query string
set string_b64encoded [HTTP::query]
test the contents of the query string to see if it is base64 and if so place the content
in a variable
if {[catch {b64decode $string_b64encoded} string_b64decoded] == 0 and $string_b64decoded ne ""}{
scan the decoded content for the Device ID length
the "x4H2" format says to move forward 4 bytes and select the next 2 places
as HEX and put them in varible IDlenHEX
binary scan $string_b64decoded x4H2 IDlenHEX
convert HEX to decimal
scan $IDlenHEX %x IDlenDEC
multiply by two to get the correct character count
set IDlen [expr "$IDlenDEC * 2"]
knowing the DeviceID starts at the 6th pair we move "x5" to the that starting place
then select "H$IDlen" to put in variable HEXdeviceID
binary scan $string_b64decoded x5H$IDlen HEXdeviceID
try to match the found ID to a data group of allowed IDs
if { [matchclass $HEXdeviceID contains allowHEXdeviceIDs] } {
pool ASOWA.example.com_443
log local0. "Found ALLOWED Hexadecimal DeviceID: $HEXdeviceID"
} else {
log local0. "Found DENIED Hexadecimal DeviceID: $HEXdeviceID"
discard
}
}
}