[Emerging-Sigs] Hex IP HTTP Requests
Matt Jonkman
jonkman at jonkmans.com
Sat Mar 8 15:04:55 EST 2008
Seeing some malware that uses hex encoded IP addresses in http requests.
Nothing new really, just seeing it more often. Like so:
GET /icuhit/slist.xml HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: 0x3d.0x61.0x20.0x38
Connection: Keep-Alive
I'd like to put up a sig for the "Host: 0x" and then pcre the rest. Can
anyone think of any legitimate uses of a hex encoded deal like this
before I put the sig out?
Matt
--
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------
PGP: http://www.jonkmans.com/mattjonkman.asc
More information about the Emerging-sigs
mailing list