[Emerging-Sigs] ET MALWARE Zero Content-Length HTTP POST with data (outbound)

Matthew Jonkman jonkman at emergingthreatspro.com
Tue Oct 26 08:54:49 EDT 2010


What kinds of packets are you seeing this on?

Very unusual to see it that often...

Matt

On Oct 26, 2010, at 8:38 AM, Jose Vila wrote:

> Hello,
> It's nice to meet all of you !
> I've built an IDS few weeks ago and I'm getting full of false
> positives of this rule.
> The destination of most of the alerts generated go to Microsoft ranges
> (mainly 65.52.0.0/14) and says that it's Live Messenger and other M$
> apps, and there are also some GMail requests, and others ...
> 
> Have anyone also had false positives?
> 
> Thank you in advance !
> Jose.
> 
> The rule:
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE
> Zero Content-Length HTTP POST with data (outbound)";
> flow:established,to_server; content:"POST"; nocase; http_method;
> content:"|0D 0A|Content-Length|3a| 0|0D 0A|"; content:"|0D 0A 0D 0A|";
> distance:0; isdataat:1,relative; classtype:bad-unknown; sid:2011819;
> rev:1;)
> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> 
> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards
> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html


----------------------------------------------------
Matthew Jonkman
Emergingthreats.net
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 765-807-8630
Fax 312-264-0205
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc





More information about the Emerging-sigs mailing list