Snort mailing list archives

Re: [Signature: MALWARE-OTHER HTTP POST request to a GIF file] Possible false positive

From: Jeremy Hoel <jthoel () gmail com>
Date: Fri, 24 Jul 2015 08:21:19 -0400

It is a false positive.  Normally when I'm helping people, I modify this
rule to exclude msn.com.  Blame them

On Fri, Jul 24, 2015 at 6:26 AM, Anshuman Anil Deshmukh <anshuman () cybage com

wrote:

 Hi,



We see lots of alerts with signature “MALWARE-OTHER HTTP POST” request to
a GIF file. We believe this is possibly a false positive as all the
requests are going to a legitimate website msn.com.



I am positing here the payload data for two of such alerts (One from a
Windows system and other from a Linux system).



Kindly check.



Payload for Windows System:

0000000: 50 4f 53 54 20 2f 63 2e 67 69 66 3f 20   48 54 54 50 2f 31 2e 31
0d 0a 41 63 63  *POST./c.gif?.HTTP/1.1..Acc*

000001A: 65 70 74 3a 20 2a 2f 2a 0d 0a 43 6f 6e   74 65 6e 74 2d 54 79 70
65 3a 20 61 70  *ept:.*/*..Content-Type:.ap*

0000034: 70 6c 69 63 61 74 69 6f 6e 2f 6a 73 6f   6e 3b 20 63 68 61 72 73
65 74 3d 75 74  *plication/json;.charset=ut*

000004E: 66 2d 38 0d 0a 52 65 66 65 72 65 72 3a   20 68 74 74 70 3a 2f 2f
77 77 77 2e 6d  *f-8..Referer:.http://www.m <http://www.m>*

0000068: 73 6e 2e 63 6f 6d 2f 65 6e 2d 69 6e 2f   3f 6f 63 69 64 3d 69 65
68 70 26 41 52  *sn.com/en-in/?ocid=iehp&AR
<http://sn.com/en-in/?ocid=iehp&AR>*

0000082: 3d 34 0d 0a 41 63 63 65 70 74 2d 4c 61   6e 67 75 61 67 65 3a 20
65 6e 2d 55 53  *=4..Accept-Language:.en-US*

000009C: 2c 65 6e 3b 71 3d 30 2e 35 0d 0a 4f 72   69 67 69 6e 3a 20 68 74
74 70 3a 2f 2f  *,en;q=0.5..Origin:.http://*

00000B6: 77 77 77 2e 6d 73 6e 2e 63 6f 6d 0d 0a   41 63 63 65 70 74 2d 45
6e 63 6f 64 69  *www.msn.com..Accept-Encodi*

00000D0: 6e 67 3a 20 67 7a 69 70 2c 20 64 65 66   6c 61 74 65 0d 0a 55 73
65 72 2d 41 67  *ng:.gzip,.deflate..User-Ag*

00000EA: 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f   35 2e 30 20 28 57 69 6e
64 6f 77 73 20  *ent:.Mozilla/5.0.(Windows.*

0000104: 4e 54 20 36 2e 33 3b 20 57 4f 57 36 34   3b 20 54 72 69 64 65 6e
74 2f 37 2e 30  *NT.6.3;.WOW64;.Trident/7.0*

000011E: 3b 20 72 76 3a 31 31 2e 30 29 20 6c 69   6b 65 20 47 65 63 6b 6f
0d 0a 48 6f 73  *;.rv:11.0).like.Gecko..Hos*

0000138: 74 3a 20 6f 74 66 2e 6d 73 6e 2e 63 6f   6d 0d 0a 43 6f 6e 74 65
6e 74 2d 4c 65  *t:.otf.msn.com..Content-Le*

0000152: 6e 67 74 68 3a 20 34 36 37 0d 0a 44 4e   54 3a 20 31 0d 0a 43 6f
6e 6e 65 63 74  *ngth:.467..DNT:.1..Connect*

000016C: 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69   76 65 0d 0a 43 61 63 68
65 2d 43 6f 6e  *ion:.Keep-Alive..Cache-Con*

0000186: 74 72 6f 6c 3a 20 6e 6f 2d 63 61 63 68   65 0d 0a 0d 0a
                         *trol:.no-cache....*



Payload for Linux System:

0000000: 50 4f 53 54 20 2f 63 2e 67 69 66 3f 20   48 54 54 50 2f 31 2e 31 0d 0a 48 6f 73  *POST./c.gif?.HTTP/1.1..Hos*

000001A: 74 3a 20 6f 74 66 2e 6d 73 6e 2e 63 6f   6d 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e  *t:.otf.msn.com..Connection*

0000034: 3a 20 6b 65 65 70 2d 61 6c 69 76 65 0d   0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67  *:.keep-alive..Content-Leng*

000004E: 74 68 3a 20 35 30 36 36 0d 0a 4f 72 69   67 69 6e 3a 20 68 74 74 70 3a 2f 2f 77  *th:.5066..Origin:.http://w 
<http://w>*

0000068: 77 77 2e 6d 73 6e 2e 63 6f 6d 0d 0a 55   73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f  *ww.msn.com..User-Agent:.Mo*

0000082: 7a 69 6c 6c 61 2f 35 2e 30 20 28 58 31   31 3b 20 4c 69 6e 75 78 20 78 38 36 5f  *zilla/5.0.(X11;.Linux.x86_*

000009C: 36 34 29 20 41 70 70 6c 65 57 65 62 4b   69 74 2f 35 33 37 2e 33 36 20 28 4b 48  *64).AppleWebKit/537.36.(KH*

00000B6: 54 4d 4c 2c 20 6c 69 6b 65 20 47 65 63   6b 6f 29 20 43 68 72 6f 6d 65 2f 34 33  *TML,.like.Gecko).Chrome/43*

00000D0: 2e 30 2e 32 33 35 37 2e 31 33 30 20 53   61 66 61 72 69 2f 35 33 37 2e 33 36 0d  *.0.2357.130.Safari/537.36.*

00000EA: 0a 43 6f 6e 74 65 6e 74 2d 74 79 70 65   3a 20 61 70 70 6c 69 63 61 74 69 6f 6e  *.Content-type:.application*

0000104: 2f 6a 73 6f 6e 3b 20 63 68 61 72 73 65   74 3d 55 54 46 2d 38 0d 0a 41 63 63 65  */json;.charset=UTF-8..Acce*

000011E: 70 74 3a 20 2a 2f 2a 0d 0a 52 65 66 65   72 65 72 3a 20 68 74 74 70 3a 2f 2f 77  *pt:.*/*..Referer:.http://w 
<http://w>*

0000138: 77 77 2e 6d 73 6e 2e 63 6f 6d 2f 65 6e   2d 69 6e 2f 6e 65 77 73 2f 70 68 6f 74  *ww.msn.com/en-in/news/phot 
<http://ww.msn.com/en-in/news/phot>*

0000152: 6f 73 2f 70 69 63 74 75 72 65 73 2d 6f   66 2d 74 68 65 2d 77 65 65 6b 2d 6a 75  *os/pictures-of-the-week-ju*

000016C: 6c 79 2d 32 34 2d 32 30 31 35 2f 73 73   2d 41 41 64 70 44 66 33 0d 0a 41 63 63  *ly-24-2015/ss-AAdpDf3..Acc*

0000186: 65 70 74 2d 45 6e 63 6f 64 69 6e 67 3a   20 67 7a 69 70 2c 20 64 65 66 6c 61 74  *ept-Encoding:.gzip,.deflat*

00001A0: 65 0d 0a 41 63 63 65 70 74 2d 4c 61 6e   67 75 61 67 65 3a 20 65 6e 2d 55 53 2c  *e..Accept-Language:.en-US,*

00001BA: 65 6e 3b 71 3d 30 2e 38 0d 0a 0d 0a                                              *en;q=0.8....*





Regards,
Anshuman Anil Deshmukh | Sr. IS Analyst - Security
Cybage Software Pvt. Ltd. (An ISO 27001 company)
Phone : 91-20-66041700, 91-20-66044700 (Ext. 6114)
Fax: 91-20-66041701 & 66041702
Cell: 91-99230-51641







"Legal Disclaimer: This electronic message and all contents contain
information from Cybage Software Private Limited which may be privileged,
confidential, or otherwise protected from disclosure. The information is
intended to be for the addressee(s) only. If you are not an addressee, any
disclosure, copy, distribution, or use of the contents of this message is
strictly prohibited. If you have received this electronic message in error
please notify the sender by reply e-mail to and destroy the original
message and all copies. Cybage has taken every reasonable precaution to
minimize the risk of malicious content in the mail, but is not liable for
any damage you may sustain as a result of any malicious content in this
e-mail. You should carry out your own malicious content checks before
opening the e-mail or attachment." www.cybage.com


------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest
Snort news!

------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Current thread:

[Signature: MALWARE-OTHER HTTP POST request to a GIF file] Possible false positive Anshuman Anil Deshmukh (Jul 24)
- Re: [Signature: MALWARE-OTHER HTTP POST request to a GIF file] Possible false positive Jeremy Hoel (Jul 24)
- Message not available
  - Re: [Signature: MALWARE-OTHER HTTP POST request to a GIF file] Possible false positive Anshuman Anil Deshmukh (Jul 27)
    - Re: [Signature: MALWARE-OTHER HTTP POST request to a GIF file] Possible false positive Anshuman Anil Deshmukh (Jul 29)
    - Re: [Signature: MALWARE-OTHER HTTP POST request to a GIF file] Possible false positive Joel Esler (jesler) (Jul 29)
    - Re: [Signature: MALWARE-OTHER HTTP POST request to a GIF file] Possible false positive Anshuman Anil Deshmukh (Aug 13)