[Emerging-Sigs] ET MALWARE Zero Content-Length HTTP POST with data (outbound)
wkitty42 at windstream.net
Tue Oct 26 19:39:52 EDT 2010
On 10/26/2010 08:54, Matthew Jonkman wrote:
> What kinds of packets are you seeing this on?
> Very unusual to see it that often...
i had asked previously on this zero content-length stuff if it was possible that
they might be just updating cookies... i do not recall any responses to my post,
> On Oct 26, 2010, at 8:38 AM, Jose Vila wrote:
>> It's nice to meet all of you !
>> I've built an IDS few weeks ago and I'm getting full of false
>> positives of this rule.
>> The destination of most of the alerts generated go to Microsoft ranges
>> (mainly 188.8.131.52/14) and says that it's Live Messenger and other M$
>> apps, and there are also some GMail requests, and others ...
>> Have anyone also had false positives?
>> Thank you in advance !
>> The rule:
>> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE
>> Zero Content-Length HTTP POST with data (outbound)";
>> flow:established,to_server; content:"POST"; nocase; http_method;
>> content:"|0D 0A|Content-Length|3a| 0|0D 0A|"; content:"|0D 0A 0D 0A|";
>> distance:0; isdataat:1,relative; classtype:bad-unknown; sid:2011819;
More information about the Emerging-sigs