[Emerging-Sigs] Gzipped Posts
Matt Jonkman
jonkman at jonkmans.com
Fri Mar 28 08:45:12 EST 2008
I decline to comment.
:)
Matt
Will Metcalf wrote:
> Because of the author or the sig? ;-)
>
> Regards,
>
> Will
>
> On Fri, Mar 28, 2008 at 8:33 AM, Matt Jonkman <jonkman at jonkmans.com> wrote:
>> Glad to hear that! I was worried about that sig causing massive false
>> positives. :)
>>
>> Anyone have hits on real malware? It is performing well in our
>> sandnetting traffic. Catching all of the malware we had intended to get.
>>
>> Matt
>>
>>
>>
>> dxp wrote:
>> > Had the sig running ever since the post on a fairly large and
>> > distributed network without a single hit. HTTP traffic inspected is
>> > both internal and external.
>> >
>> > On Sat, Mar 22, 2008 at 5:58 PM, Matt Jonkman <jonkman at jonkmans.com> wrote:
>> >> Will Metcalf has sent in a sig that should solve some issues. We've had
>> >> a number of malware packages using gzip encoding on the HTTP POST to
>> >> avoid us looking at parameters and data in realtime.
>> >>
>> >> Will points out that while gzip encoding for large downloads is very
>> >> common, gzipping posts is extremely uncommon. In fact on a few days of
>> >> testing on a large network we found exactly zero instances.
>> >>
>> >> So please test this and report any issues. I have it in current_events
>> >> to remind us to take a second look in a few days and adjust if there are
>> >> any FPs. Eventually it'll go into policy or malware.
>> >>
>> >> Matt
>> >>
>> >>
>> >> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET
>> >> CURRENT_EVENTS EXPERIMENTAL Gzipped HTTP POST - Suspicious - Possible
>> >> Trojan Report"; flow:established,to_server; content:"POST "; depth:5;
>> >> content:"Content-Encoding\: gzip"; nocase; classtype:policy-violation;
>> >> reference:url,doc.emergingthreats.net/bin/view/Main/GzipdPOST;
>> >> sid:2008045; rev:1;)
>> >>
>> >>
>> >> --
>> >> --------------------------------------------
>> >> Matthew Jonkman
>> >> Emerging Threats
>> >> Phone 765-429-0398
>> >> Fax 312-264-0205
>> >> http://www.emergingthreats.net
>> >> --------------------------------------------
>> >>
>> >> PGP: http://www.jonkmans.com/mattjonkman.asc
>> >>
>> >>
>> >> _______________________________________________
>> >> Emerging-sigs mailing list
>> >> Emerging-sigs at emergingthreats.net
>> >> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>> >>
>> > _______________________________________________
>> > Emerging-sigs mailing list
>> > Emerging-sigs at emergingthreats.net
>> > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>
>> --
>>
>>
>> --------------------------------------------
>> Matthew Jonkman
>> Emerging Threats
>> Phone 765-429-0398
>> Fax 312-264-0205
>> http://www.emergingthreats.net
>> --------------------------------------------
>>
>> PGP: http://www.jonkmans.com/mattjonkman.asc
>>
>>
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at emergingthreats.net
>> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>
--
--------------------------------------------
Matthew Jonkman
Emerging Threats
Phone 765-429-0398
Fax 312-264-0205
http://www.emergingthreats.net
--------------------------------------------
PGP: http://www.jonkmans.com/mattjonkman.asc
More information about the Emerging-sigs
mailing list