Forum Discussion

Russell_Moore_8's avatar
Russell_Moore_8
Icon for Nimbostratus rankNimbostratus
May 10, 2012

ActiveSync Windows Phone query decode

I used the following rule to decode and locate the Windows Phone device ID for access control to an ActiveSync/OWA service. The AS protocol allows the query to be plain text or base64 encoded hex. If you search Google for base64 ActiveSync you'll find the specification for this query method.

 

 

This rule works but I am studying it for optimization as I find it a bit ugly myself.

 

Feedback welcome! (The following code may contain snippets from other contributors for which I do not take credit but thank those contributors)

 

 

when HTTP_REQUEST {

 

create variable to contain the query string

 

set string_b64encoded [HTTP::query]

 

test the contents of the query string to see if it is base64 and if so place the content

 

in a variable

 

if {[catch {b64decode $string_b64encoded} string_b64decoded] == 0 and $string_b64decoded ne ""}{

 

scan the decoded content for the Device ID length

 

the "x4H2" format says to move forward 4 bytes and select the next 2 places

 

as HEX and put them in varible IDlenHEX

 

binary scan $string_b64decoded x4H2 IDlenHEX

 

convert HEX to decimal

 

scan $IDlenHEX %x IDlenDEC

 

multiply by two to get the correct character count

 

set IDlen [expr "$IDlenDEC * 2"]

 

knowing the DeviceID starts at the 6th pair we move "x5" to the that starting place

 

then select "H$IDlen" to put in variable HEXdeviceID

 

binary scan $string_b64decoded x5H$IDlen HEXdeviceID

 

try to match the found ID to a data group of allowed IDs

 

if { [matchclass $HEXdeviceID contains allowHEXdeviceIDs] } {

 

pool ASOWA.example.com_443

 

log local0. "Found ALLOWED Hexadecimal DeviceID: $HEXdeviceID"

 

} else {

 

log local0. "Found DENIED Hexadecimal DeviceID: $HEXdeviceID"

 

discard

 

}

 

}

 

}