[Emerging-Sigs] ET MALWARE Zero Content-Length HTTP POST withdata (outbound)

L0rd Ch0de1m0rt l0rdch0de1m0rt at gmail.com
Wed Oct 27 12:11:01 EDT 2010


Hello.  I like this sig conceptually but I think it may be a victim of
poor web programming practices.  Goddamm Web 2.0....

-L0rd C.

On Wed, Oct 27, 2010 at 10:47 AM, Josh Little <josh at zombietango.com> wrote:
> On 10/27/2010 11:23 AM, Weir, Jason wrote:
>> I'm seeing a few of these on what seems to be legit traffic as well.
>>
>> If someone wants the pcaps let me know.
>>
>> -J
>>
>
> We were seeing several thousand of these as well, to the point where I
> finally had to turn the sig off. Many were keep-alive-esqe requests or
> AJAX requests. A lot were from a set of internal CMS tools, so I won't
> be able to send on any PCAPS or raw HTTP. I wonder if the sig could be
> modified to check to see if the X-Requested-With: XMLHttpRequest header
> is not set?
>
> ZT
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards
> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html
>


More information about the Emerging-sigs mailing list