[Emerging-Sigs] Gzipped Posts

Will Metcalf william.metcalf at gmail.com
Fri Mar 28 08:40:42 EST 2008 

Because of the author or the sig? ;-)

Regards,

Will

On Fri, Mar 28, 2008 at 8:33 AM, Matt Jonkman <jonkman at jonkmans.com> wrote:
> Glad to hear that! I was worried about that sig causing massive false
>  positives. :)
>
>  Anyone have hits on real malware? It is performing well in our
>  sandnetting traffic. Catching all of the malware we had intended to get.
>
>  Matt
>
>
>
>  dxp wrote:
>  > Had the sig running ever since the post on a fairly large and
>  > distributed network without a single hit.  HTTP traffic inspected is
>  > both internal and external.
>  >
>  > On Sat, Mar 22, 2008 at 5:58 PM, Matt Jonkman <jonkman at jonkmans.com> wrote:
>  >> Will Metcalf has sent in a sig that should solve some issues. We've had
>  >>  a number of malware packages using gzip encoding on the HTTP POST to
>  >>  avoid us looking at parameters and data in realtime.
>  >>
>  >>  Will points out that while gzip encoding for large downloads is very
>  >>  common, gzipping posts is extremely uncommon. In fact on a few days of
>  >>  testing on a large network we found exactly zero instances.
>  >>
>  >>  So please test this and report any issues. I have it in current_events
>  >>  to remind us to take a second look in a few days and adjust if there are
>  >>  any FPs. Eventually it'll go into policy or malware.
>  >>
>  >>  Matt
>  >>
>  >>
>  >>  alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET
>  >>  CURRENT_EVENTS EXPERIMENTAL Gzipped HTTP POST - Suspicious - Possible
>  >>  Trojan Report"; flow:established,to_server; content:"POST "; depth:5;
>  >>  content:"Content-Encoding\: gzip"; nocase; classtype:policy-violation;
>  >>  reference:url,doc.emergingthreats.net/bin/view/Main/GzipdPOST;
>  >>  sid:2008045; rev:1;)
>  >>
>  >>
>  >>  --
>  >>  --------------------------------------------
>  >>  Matthew Jonkman
>  >>  Emerging Threats
>  >>  Phone 765-429-0398
>  >>  Fax 312-264-0205
>  >>  http://www.emergingthreats.net
>  >>  --------------------------------------------
>  >>
>  >>  PGP: http://www.jonkmans.com/mattjonkman.asc
>  >>
>  >>
>  >>  _______________________________________________
>  >>  Emerging-sigs mailing list
>  >>  Emerging-sigs at emergingthreats.net
>  >>  http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>  >>
>  > _______________________________________________
>  > Emerging-sigs mailing list
>  > Emerging-sigs at emergingthreats.net
>  > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
>  --
>
>
> --------------------------------------------
>  Matthew Jonkman
>  Emerging Threats
>  Phone 765-429-0398
>  Fax 312-264-0205
>  http://www.emergingthreats.net
>  --------------------------------------------
>
>  PGP: http://www.jonkmans.com/mattjonkman.asc
>
>
>  _______________________________________________
>  Emerging-sigs mailing list
>  Emerging-sigs at emergingthreats.net
>  http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>

More information about the Emerging-sigs mailing list