[Emerging-Sigs] ET SUSPICIOUS - Zero Content-Length HTTP POST with data (outbound)

L0rd Ch0de1m0rt l0rdch0de1m0rt at gmail.com
Thu Oct 14 16:37:15 EDT 2010


Hello.  I propose this rule for consideration.  I have run it since 29
Sept. 2010 and have not seen it false positive:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET
SUSPICIOUS - Zero Content-Length HTTP POST with data (outbound)";
flow:established,to_server; content:"POST"; nocase; http_method;
content:"|0D 0A|Content-Length\: 0|0D 0A|"; content:"|0D 0A 0D 0A|";
distance:0; isdataat:1,relative; classtype:bad-unknown; sid:90006741;
rev:2;)

However, you will find some poorly written web apps that will trigger
this alert (I found one site in particular).

Cheers,

L0rd Ch0de1m0rt


More information about the Emerging-sigs mailing list