[Emerging-Sigs] ET MALWARE Zero Content-Length HTTP POST with data (outbound)
jovimon at gmail.com
Tue Oct 26 08:38:04 EDT 2010
It's nice to meet all of you !
I've built an IDS few weeks ago and I'm getting full of false
positives of this rule.
The destination of most of the alerts generated go to Microsoft ranges
(mainly 188.8.131.52/14) and says that it's Live Messenger and other M$
apps, and there are also some GMail requests, and others ...
Have anyone also had false positives?
Thank you in advance !
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE
Zero Content-Length HTTP POST with data (outbound)";
flow:established,to_server; content:"POST"; nocase; http_method;
content:"|0D 0A|Content-Length|3a| 0|0D 0A|"; content:"|0D 0A 0D 0A|";
distance:0; isdataat:1,relative; classtype:bad-unknown; sid:2011819;
More information about the Emerging-sigs