[Emerging-Sigs] Gzipped Posts
Matt Jonkman
jonkman at jonkmans.com
Sat Mar 22 16:58:23 EST 2008
Will Metcalf has sent in a sig that should solve some issues. We've had
a number of malware packages using gzip encoding on the HTTP POST to
avoid us looking at parameters and data in realtime.
Will points out that while gzip encoding for large downloads is very
common, gzipping posts is extremely uncommon. In fact on a few days of
testing on a large network we found exactly zero instances.
So please test this and report any issues. I have it in current_events
to remind us to take a second look in a few days and adjust if there are
any FPs. Eventually it'll go into policy or malware.
Matt
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET
CURRENT_EVENTS EXPERIMENTAL Gzipped HTTP POST - Suspicious - Possible
Trojan Report"; flow:established,to_server; content:"POST "; depth:5;
content:"Content-Encoding\: gzip"; nocase; classtype:policy-violation;
reference:url,doc.emergingthreats.net/bin/view/Main/GzipdPOST;
sid:2008045; rev:1;)
--
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------
PGP: http://www.jonkmans.com/mattjonkman.asc
More information about the Emerging-sigs
mailing list