[Emerging-Sigs] ET MALWARE Zero Content-Length HTTP POST withdata (outbound)

Matthew Jonkman jonkman at emergingthreatspro.com
Wed Oct 27 16:56:33 EDT 2010


Good idea, but it looks like that'll just eliminate a subset of the false positives, no?

Are there a few things we could look for that are common to the false positives everyone's seeing?

Matt

On Oct 27, 2010, at 11:47 AM, Josh Little wrote:

> On 10/27/2010 11:23 AM, Weir, Jason wrote:
>> I'm seeing a few of these on what seems to be legit traffic as well. 
>> 
>> If someone wants the pcaps let me know.
>> 
>> -J
>> 
> 
> We were seeing several thousand of these as well, to the point where I
> finally had to turn the sig off. Many were keep-alive-esqe requests or
> AJAX requests. A lot were from a set of internal CMS tools, so I won't
> be able to send on any PCAPS or raw HTTP. I wonder if the sig could be
> modified to check to see if the X-Requested-With: XMLHttpRequest header
> is not set?
> 
> ZT
> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at emergingthreats.net
> http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> 
> Support Emerging Threats! Get your ET Stuff! Tshirts, Coffee Mugs and Lanyards
> http://www.emergingthreats.net/index.php/support-et-and-buy-et-schwag.html


----------------------------------------------------
Matthew Jonkman
Emergingthreats.net
Emerging Threats Pro
Open Information Security Foundation (OISF)
Phone 765-807-8630
Fax 312-264-0205
http://www.emergingthreatspro.com
http://www.openinfosecfoundation.org
----------------------------------------------------

PGP: http://www.jonkmans.com/mattjonkman.asc





More information about the Emerging-sigs mailing list