[Emerging-Sigs] ET MALWARE Zero Content-Length HTTP POST withdata (outbound)

Josh Little josh at zombietango.com
Wed Oct 27 11:47:44 EDT 2010


On 10/27/2010 11:23 AM, Weir, Jason wrote:
> I'm seeing a few of these on what seems to be legit traffic as well. 
>
> If someone wants the pcaps let me know.
>
> -J
>

We were seeing several thousand of these as well, to the point where I
finally had to turn the sig off. Many were keep-alive-esqe requests or
AJAX requests. A lot were from a set of internal CMS tools, so I won't
be able to send on any PCAPS or raw HTTP. I wonder if the sig could be
modified to check to see if the X-Requested-With: XMLHttpRequest header
is not set?

ZT


More information about the Emerging-sigs mailing list