[Emerging-Sigs] Gzipped Posts
dxp
dxp2532 at gmail.com
Thu Mar 27 22:50:07 EST 2008
Had the sig running ever since the post on a fairly large and
distributed network without a single hit. HTTP traffic inspected is
both internal and external.
On Sat, Mar 22, 2008 at 5:58 PM, Matt Jonkman <jonkman at jonkmans.com> wrote:
> Will Metcalf has sent in a sig that should solve some issues. We've had
> a number of malware packages using gzip encoding on the HTTP POST to
> avoid us looking at parameters and data in realtime.
>
> Will points out that while gzip encoding for large downloads is very
> common, gzipping posts is extremely uncommon. In fact on a few days of
> testing on a large network we found exactly zero instances.
>
> So please test this and report any issues. I have it in current_events
> to remind us to take a second look in a few days and adjust if there are
> any FPs. Eventually it'll go into policy or malware.
>
> Matt
>
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET
> CURRENT_EVENTS EXPERIMENTAL Gzipped HTTP POST - Suspicious - Possible
> Trojan Report"; flow:established,to_server; content:"POST "; depth:5;
> content:"Content-Encoding\: gzip"; nocase; classtype:policy-violation;
> reference:url,doc.emergingthreats.net/bin/view/Main/GzipdPOST;
> sid:2008045; rev:1;)
>
>
> --
> --------------------------------------------
> Matthew Jonkman
> Emerging Threats
> Phone 765-429-0398
> Fax 312-264-0205
> http://www.emergingthreats.net
> --------------------------------------------
>
> PGP: http://www.jonkmans.com/mattjonkman.asc
>
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
More information about the Emerging-sigs
mailing list