[Emerging-Sigs] ET SUSPICIOUS - Zero Content-Length HTTP POST with data (outbound)

Matthew Jonkman jonkman at emergingthreatspro.com
Thu Oct 14 17:00:23 EDT 2010


Interesting one, Posting now

Thanks

Matt

On Oct 14, 2010, at 4:37 PM, L0rd Ch0de1m0rt wrote:

> Hello.  I propose this rule for consideration.  I have run it since 29
> Sept. 2010 and have not seen it false positive:
> 
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET
> SUSPICIOUS - Zero Content-Length HTTP POST with data (outbound)";
> flow:established,to_server; content:"POST"; nocase; http_method;
> content:"|0D 0A|Content-Length\: 0|0D 0A|"; content:"|0D 0A 0D 0A|";
> distance:0; isdataat:1,relative; classtype:bad-unknown; sid:90006741;
> rev:2;)
> 
> However, you will find some poorly written web apps that will trigger
> this alert (I found one site in particular).
> 
> Cheers,
> 
> L0rd Ch0de1m0rt
> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> 
> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards
> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html


----------------------------------------------------
Matthew Jonkman
Emergingthreats.net
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 765-807-8630
Fax 312-264-0205
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc





More information about the Emerging-sigs mailing list