[Emerging-Sigs] ET MALWARE Zero Content-Length HTTP POST with data (outbound)

waldo kitty wkitty42 at windstream.net
Tue Oct 26 19:39:52 EDT 2010


On 10/26/2010 08:54, Matthew Jonkman wrote:
> What kinds of packets are you seeing this on?
>
> Very unusual to see it that often...

i had asked previously on this zero content-length stuff if it was possible that 
they might be just updating cookies... i do not recall any responses to my post, 
though :?


>
> Matt
>
> On Oct 26, 2010, at 8:38 AM, Jose Vila wrote:
>
>> Hello,
>> It's nice to meet all of you !
>> I've built an IDS few weeks ago and I'm getting full of false
>> positives of this rule.
>> The destination of most of the alerts generated go to Microsoft ranges
>> (mainly 65.52.0.0/14) and says that it's Live Messenger and other M$
>> apps, and there are also some GMail requests, and others ...
>>
>> Have anyone also had false positives?
>>
>> Thank you in advance !
>> Jose.
>>
>> The rule:
>> alert tcp $HOME_NET any ->  $EXTERNAL_NET $HTTP_PORTS (msg:"ET MALWARE
>> Zero Content-Length HTTP POST with data (outbound)";
>> flow:established,to_server; content:"POST"; nocase; http_method;
>> content:"|0D 0A|Content-Length|3a| 0|0D 0A|"; content:"|0D 0A 0D 0A|";
>> distance:0; isdataat:1,relative; classtype:bad-unknown; sid:2011819;
>> rev:1;)


More information about the Emerging-sigs mailing list