Snort mailing list archives
Re: [Signature: MALWARE-OTHER HTTP POST request to a GIF file] Possible false positive
From: Jeremy Hoel <jthoel () gmail com>
Date: Fri, 24 Jul 2015 08:21:19 -0400
It is a false positive. Normally when I'm helping people, I modify this rule to exclude msn.com. Blame them On Fri, Jul 24, 2015 at 6:26 AM, Anshuman Anil Deshmukh <anshuman () cybage com
wrote:
Hi, We see lots of alerts with signature “MALWARE-OTHER HTTP POST” request to a GIF file. We believe this is possibly a false positive as all the requests are going to a legitimate website msn.com. I am positing here the payload data for two of such alerts (One from a Windows system and other from a Linux system). Kindly check. Payload for Windows System: 0000000: 50 4f 53 54 20 2f 63 2e 67 69 66 3f 20 48 54 54 50 2f 31 2e 31 0d 0a 41 63 63 *POST./c.gif?.HTTP/1.1..Acc* 000001A: 65 70 74 3a 20 2a 2f 2a 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 *ept:.*/*..Content-Type:.ap* 0000034: 70 6c 69 63 61 74 69 6f 6e 2f 6a 73 6f 6e 3b 20 63 68 61 72 73 65 74 3d 75 74 *plication/json;.charset=ut* 000004E: 66 2d 38 0d 0a 52 65 66 65 72 65 72 3a 20 68 74 74 70 3a 2f 2f 77 77 77 2e 6d *f-8..Referer:.http://www.m <http://www.m>* 0000068: 73 6e 2e 63 6f 6d 2f 65 6e 2d 69 6e 2f 3f 6f 63 69 64 3d 69 65 68 70 26 41 52 *sn.com/en-in/?ocid=iehp&AR <http://sn.com/en-in/?ocid=iehp&AR>* 0000082: 3d 34 0d 0a 41 63 63 65 70 74 2d 4c 61 6e 67 75 61 67 65 3a 20 65 6e 2d 55 53 *=4..Accept-Language:.en-US* 000009C: 2c 65 6e 3b 71 3d 30 2e 35 0d 0a 4f 72 69 67 69 6e 3a 20 68 74 74 70 3a 2f 2f *,en;q=0.5..Origin:.http://* 00000B6: 77 77 77 2e 6d 73 6e 2e 63 6f 6d 0d 0a 41 63 63 65 70 74 2d 45 6e 63 6f 64 69 *www.msn.com..Accept-Encodi* 00000D0: 6e 67 3a 20 67 7a 69 70 2c 20 64 65 66 6c 61 74 65 0d 0a 55 73 65 72 2d 41 67 *ng:.gzip,.deflate..User-Ag* 00000EA: 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 35 2e 30 20 28 57 69 6e 64 6f 77 73 20 *ent:.Mozilla/5.0.(Windows.* 0000104: 4e 54 20 36 2e 33 3b 20 57 4f 57 36 34 3b 20 54 72 69 64 65 6e 74 2f 37 2e 30 *NT.6.3;.WOW64;.Trident/7.0* 000011E: 3b 20 72 76 3a 31 31 2e 30 29 20 6c 69 6b 65 20 47 65 63 6b 6f 0d 0a 48 6f 73 *;.rv:11.0).like.Gecko..Hos* 0000138: 74 3a 20 6f 74 66 2e 6d 73 6e 2e 63 6f 6d 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 *t:.otf.msn.com..Content-Le* 0000152: 6e 67 74 68 3a 20 34 36 37 0d 0a 44 4e 54 3a 20 31 0d 0a 43 6f 6e 6e 65 63 74 *ngth:.467..DNT:.1..Connect* 000016C: 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 43 61 63 68 65 2d 43 6f 6e *ion:.Keep-Alive..Cache-Con* 0000186: 74 72 6f 6c 3a 20 6e 6f 2d 63 61 63 68 65 0d 0a 0d 0a *trol:.no-cache....* Payload for Linux System: 0000000: 50 4f 53 54 20 2f 63 2e 67 69 66 3f 20 48 54 54 50 2f 31 2e 31 0d 0a 48 6f 73 *POST./c.gif?.HTTP/1.1..Hos* 000001A: 74 3a 20 6f 74 66 2e 6d 73 6e 2e 63 6f 6d 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e *t:.otf.msn.com..Connection* 0000034: 3a 20 6b 65 65 70 2d 61 6c 69 76 65 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 *:.keep-alive..Content-Leng* 000004E: 74 68 3a 20 35 30 36 36 0d 0a 4f 72 69 67 69 6e 3a 20 68 74 74 70 3a 2f 2f 77 *th:.5066..Origin:.http://w <http://w>* 0000068: 77 77 2e 6d 73 6e 2e 63 6f 6d 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f *ww.msn.com..User-Agent:.Mo* 0000082: 7a 69 6c 6c 61 2f 35 2e 30 20 28 58 31 31 3b 20 4c 69 6e 75 78 20 78 38 36 5f *zilla/5.0.(X11;.Linux.x86_* 000009C: 36 34 29 20 41 70 70 6c 65 57 65 62 4b 69 74 2f 35 33 37 2e 33 36 20 28 4b 48 *64).AppleWebKit/537.36.(KH* 00000B6: 54 4d 4c 2c 20 6c 69 6b 65 20 47 65 63 6b 6f 29 20 43 68 72 6f 6d 65 2f 34 33 *TML,.like.Gecko).Chrome/43* 00000D0: 2e 30 2e 32 33 35 37 2e 31 33 30 20 53 61 66 61 72 69 2f 35 33 37 2e 33 36 0d *.0.2357.130.Safari/537.36.* 00000EA: 0a 43 6f 6e 74 65 6e 74 2d 74 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e *.Content-type:.application* 0000104: 2f 6a 73 6f 6e 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 0d 0a 41 63 63 65 */json;.charset=UTF-8..Acce* 000011E: 70 74 3a 20 2a 2f 2a 0d 0a 52 65 66 65 72 65 72 3a 20 68 74 74 70 3a 2f 2f 77 *pt:.*/*..Referer:.http://w <http://w>* 0000138: 77 77 2e 6d 73 6e 2e 63 6f 6d 2f 65 6e 2d 69 6e 2f 6e 65 77 73 2f 70 68 6f 74 *ww.msn.com/en-in/news/phot <http://ww.msn.com/en-in/news/phot>* 0000152: 6f 73 2f 70 69 63 74 75 72 65 73 2d 6f 66 2d 74 68 65 2d 77 65 65 6b 2d 6a 75 *os/pictures-of-the-week-ju* 000016C: 6c 79 2d 32 34 2d 32 30 31 35 2f 73 73 2d 41 41 64 70 44 66 33 0d 0a 41 63 63 *ly-24-2015/ss-AAdpDf3..Acc* 0000186: 65 70 74 2d 45 6e 63 6f 64 69 6e 67 3a 20 67 7a 69 70 2c 20 64 65 66 6c 61 74 *ept-Encoding:.gzip,.deflat* 00001A0: 65 0d 0a 41 63 63 65 70 74 2d 4c 61 6e 67 75 61 67 65 3a 20 65 6e 2d 55 53 2c *e..Accept-Language:.en-US,* 00001BA: 65 6e 3b 71 3d 30 2e 38 0d 0a 0d 0a *en;q=0.8....* Regards, Anshuman Anil Deshmukh | Sr. IS Analyst - Security Cybage Software Pvt. Ltd. (An ISO 27001 company) Phone : 91-20-66041700, 91-20-66044700 (Ext. 6114) Fax: 91-20-66041701 & 66041702 Cell: 91-99230-51641 "Legal Disclaimer: This electronic message and all contents contain information from Cybage Software Private Limited which may be privileged, confidential, or otherwise protected from disclosure. The information is intended to be for the addressee(s) only. If you are not an addressee, any disclosure, copy, distribution, or use of the contents of this message is strictly prohibited. If you have received this electronic message in error please notify the sender by reply e-mail to and destroy the original message and all copies. Cybage has taken every reasonable precaution to minimize the risk of malicious content in the mail, but is not liable for any damage you may sustain as a result of any malicious content in this e-mail. You should carry out your own malicious content checks before opening the e-mail or attachment." www.cybage.com ------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- [Signature: MALWARE-OTHER HTTP POST request to a GIF file] Possible false positive Anshuman Anil Deshmukh (Jul 24)
- Re: [Signature: MALWARE-OTHER HTTP POST request to a GIF file] Possible false positive Jeremy Hoel (Jul 24)
- Message not available
- Re: [Signature: MALWARE-OTHER HTTP POST request to a GIF file] Possible false positive Anshuman Anil Deshmukh (Jul 27)
- Re: [Signature: MALWARE-OTHER HTTP POST request to a GIF file] Possible false positive Anshuman Anil Deshmukh (Jul 29)
- Re: [Signature: MALWARE-OTHER HTTP POST request to a GIF file] Possible false positive Joel Esler (jesler) (Jul 29)
- Re: [Signature: MALWARE-OTHER HTTP POST request to a GIF file] Possible false positive Anshuman Anil Deshmukh (Aug 13)
- Re: [Signature: MALWARE-OTHER HTTP POST request to a GIF file] Possible false positive Anshuman Anil Deshmukh (Jul 27)