[Emerging-Sigs] Gzipped Posts

Matt Jonkman jonkman at jonkmans.com
Fri Mar 28 08:33:54 EST 2008 

Glad to hear that! I was worried about that sig causing massive false 
positives. :)

Anyone have hits on real malware? It is performing well in our 
sandnetting traffic. Catching all of the malware we had intended to get.

Matt

dxp wrote:
> Had the sig running ever since the post on a fairly large and
> distributed network without a single hit.  HTTP traffic inspected is
> both internal and external.
> 
> On Sat, Mar 22, 2008 at 5:58 PM, Matt Jonkman <jonkman at jonkmans.com> wrote:
>> Will Metcalf has sent in a sig that should solve some issues. We've had
>>  a number of malware packages using gzip encoding on the HTTP POST to
>>  avoid us looking at parameters and data in realtime.
>>
>>  Will points out that while gzip encoding for large downloads is very
>>  common, gzipping posts is extremely uncommon. In fact on a few days of
>>  testing on a large network we found exactly zero instances.
>>
>>  So please test this and report any issues. I have it in current_events
>>  to remind us to take a second look in a few days and adjust if there are
>>  any FPs. Eventually it'll go into policy or malware.
>>
>>  Matt
>>
>>
>>  alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET
>>  CURRENT_EVENTS EXPERIMENTAL Gzipped HTTP POST - Suspicious - Possible
>>  Trojan Report"; flow:established,to_server; content:"POST "; depth:5;
>>  content:"Content-Encoding\: gzip"; nocase; classtype:policy-violation;
>>  reference:url,doc.emergingthreats.net/bin/view/Main/GzipdPOST;
>>  sid:2008045; rev:1;)
>>
>>
>>  --
>>  --------------------------------------------
>>  Matthew Jonkman
>>  Emerging Threats
>>  Phone 765-429-0398
>>  Fax 312-264-0205
>>  http://www.emergingthreats.net
>>  --------------------------------------------
>>
>>  PGP: http://www.jonkmans.com/mattjonkman.asc
>>
>>
>>  _______________________________________________
>>  Emerging-sigs mailing list
>>  Emerging-sigs at emergingthreats.net
>>  http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs

-- 
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc

More information about the Emerging-sigs mailing list