[Emerging-Sigs] ET MALWARE Zero Content-Length HTTP POST withdata (outbound)
l0rdch0de1m0rt at gmail.com
Wed Oct 27 12:11:01 EDT 2010
Hello. I like this sig conceptually but I think it may be a victim of
poor web programming practices. Goddamm Web 2.0....
On Wed, Oct 27, 2010 at 10:47 AM, Josh Little <josh at zombietango.com> wrote:
> On 10/27/2010 11:23 AM, Weir, Jason wrote:
>> I'm seeing a few of these on what seems to be legit traffic as well.
>> If someone wants the pcaps let me know.
> We were seeing several thousand of these as well, to the point where I
> finally had to turn the sig off. Many were keep-alive-esqe requests or
> AJAX requests. A lot were from a set of internal CMS tools, so I won't
> be able to send on any PCAPS or raw HTTP. I wonder if the sig could be
> modified to check to see if the X-Requested-With: XMLHttpRequest header
> is not set?
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards
More information about the Emerging-sigs