[Emerging-Sigs] HTTP Oddity Sig
Matt Jonkman
jonkman at jonkmans.com
Fri Mar 7 17:05:46 EST 2008
Seeing a lot of malware make an http get like so:
GET http://update1.euro-shop.co.kr/RegViuum/start.txt HTTP/1.1
Host: update1.euro-shop.co.kr
You'll note that it's adding http://hostname.com to the uri string,
which should be just the URI. A lot of RBN related samples of late are
doing this, and many are very difficult to make sigs for otherwise. So
I'm giving the following sig a try:
MALWARE/MALWARE_Invalid_HTTP:alert tcp $HOME_NET any -> $EXTERNAL_NET
$HTTP_PORTS (msg:"ET MALWARE Invalid HTTP GET - Often Malware Related
(GET http\://)"; flow;established,to_server; content:"GET http\://";
depth:11; classtype:non-standard-protocol;
reference:url,doc.emergingthreats.net/2007941; sid:2007941; rev:1;)
Please report any issues with it. If you are seeing legit apps violate
http like so please let me know!
matt
--
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------
PGP: http://www.jonkmans.com/mattjonkman.asc
More information about the Emerging-sigs
mailing list