[Emerging-Sigs] ET MALWARE Zero Content-Length HTTP POST with data (outbound)

Jose Vila jovimon at gmail.com
Tue Oct 26 08:38:04 EDT 2010


Hello,
It's nice to meet all of you !
I've built an IDS few weeks ago and I'm getting full of false
positives of this rule.
The destination of most of the alerts generated go to Microsoft ranges
(mainly 65.52.0.0/14) and says that it's Live Messenger and other M$
apps, and there are also some GMail requests, and others ...

Have anyone also had false positives?

Thank you in advance !
Jose.

The rule:
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE
Zero Content-Length HTTP POST with data (outbound)";
flow:established,to_server; content:"POST"; nocase; http_method;
content:"|0D 0A|Content-Length|3a| 0|0D 0A|"; content:"|0D 0A 0D 0A|";
distance:0; isdataat:1,relative; classtype:bad-unknown; sid:2011819;
rev:1;)


More information about the Emerging-sigs mailing list