Snort mailing list archives
Re: [Signature: MALWARE-OTHER HTTP POST request to a GIF file] Possible false positive
From: Anshuman Anil Deshmukh <anshuman () cybage com>
Date: Wed, 29 Jul 2015 07:37:39 +0000
Kindly respond. Regards, Anshuman From: Anshuman Anil Deshmukh [mailto:anshuman () cybage com] Sent: Monday, July 27, 2015 2:14 PM To: snort-users () lists sourceforge net Subject: Re: [Snort-users] [Signature: MALWARE-OTHER HTTP POST request to a GIF file] Possible false positive Hi, Here is the rule- alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER HTTP POST request to a GIF file"; flow:to_server,established; content:"POST"; nocase; http_method; urilen:<50; content:".gif"; nocase; http_uri; content:!"widgetserver.com"; nocase; http_header; pcre:"/\.gif([\?\x5c\x2f]|$)/Usmi"; metadata:service http; reference:url,labs.snort.org/docs/24105.txt; classtype:non-standard-protocol; sid:24105; rev:9;) Regards, Anshuman From: 강명훈 [mailto:mhkang589 () gmail com] Sent: Friday, July 24, 2015 5:34 PM To: Anshuman Anil Deshmukh Subject: Re: [Snort-users] [Signature: MALWARE-OTHER HTTP POST request to a GIF file] Possible false positive Dear anshuman, Can you show me the rule? Best regards. 2015-07-24 19:26 GMT+09:00 Anshuman Anil Deshmukh <anshuman () cybage com<mailto:anshuman () cybage com>>: Hi, We see lots of alerts with signature “MALWARE-OTHER HTTP POST” request to a GIF file. We believe this is possibly a false positive as all the requests are going to a legitimate website msn.com<http://msn.com>. I am positing here the payload data for two of such alerts (One from a Windows system and other from a Linux system). Kindly check. Payload for Windows System: 0000000: 50 4f 53 54 20 2f 63 2e 67 69 66 3f 20 48 54 54 50 2f 31 2e 31 0d 0a 41 63 63 POST./c.gif?.HTTP/1.1..Acc 000001A: 65 70 74 3a 20 2a 2f 2a 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 61 70 ept:.*/*..Content-Type:.ap 0000034: 70 6c 69 63 61 74 69 6f 6e 2f 6a 73 6f 6e 3b 20 63 68 61 72 73 65 74 3d 75 74 plication/json;.charset=ut 000004E: 66 2d 38 0d 0a 52 65 66 65 72 65 72 3a 20 68 74 74 70 3a 2f 2f 77 77 77 2e 6d f-8..Referer:.http://www.m 0000068: 73 6e 2e 63 6f 6d 2f 65 6e 2d 69 6e 2f 3f 6f 63 69 64 3d 69 65 68 70 26 41 52 sn.com/en-in/?ocid=iehp&AR<http://sn.com/en-in/?ocid=iehp&AR> 0000082: 3d 34 0d 0a 41 63 63 65 70 74 2d 4c 61 6e 67 75 61 67 65 3a 20 65 6e 2d 55 53 =4..Accept-Language:.en-US 000009C: 2c 65 6e 3b 71 3d 30 2e 35 0d 0a 4f 72 69 67 69 6e 3a 20 68 74 74 70 3a 2f 2f ,en;q=0.5..Origin:.http:// 00000B6: 77 77 77 2e 6d 73 6e 2e 63 6f 6d 0d 0a 41 63 63 65 70 74 2d 45 6e 63 6f 64 69 www.msn.com..Accept-Encodi<http://www.msn.com..Accept-Encodi> 00000D0: 6e 67 3a 20 67 7a 69 70 2c 20 64 65 66 6c 61 74 65 0d 0a 55 73 65 72 2d 41 67 ng:.gzip,.deflate..User-Ag 00000EA: 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f 35 2e 30 20 28 57 69 6e 64 6f 77 73 20 ent:.Mozilla/5.0.(Windows. 0000104: 4e 54 20 36 2e 33 3b 20 57 4f 57 36 34 3b 20 54 72 69 64 65 6e 74 2f 37 2e 30 NT.6.3;.WOW64;.Trident/7.0 000011E: 3b 20 72 76 3a 31 31 2e 30 29 20 6c 69 6b 65 20 47 65 63 6b 6f 0d 0a 48 6f 73 ;.rv:11.0).like.Gecko..Hos 0000138: 74 3a 20 6f 74 66 2e 6d 73 6e 2e 63 6f 6d 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 t:.otf.msn.com..Content-Le 0000152: 6e 67 74 68 3a 20 34 36 37 0d 0a 44 4e 54 3a 20 31 0d 0a 43 6f 6e 6e 65 63 74 ngth:.467..DNT:.1..Connect 000016C: 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69 76 65 0d 0a 43 61 63 68 65 2d 43 6f 6e ion:.Keep-Alive..Cache-Con 0000186: 74 72 6f 6c 3a 20 6e 6f 2d 63 61 63 68 65 0d 0a 0d 0a trol:.no-cache.... Payload for Linux System: 0000000: 50 4f 53 54 20 2f 63 2e 67 69 66 3f 20 48 54 54 50 2f 31 2e 31 0d 0a 48 6f 73 POST./c.gif?.HTTP/1.1..Hos 000001A: 74 3a 20 6f 74 66 2e 6d 73 6e 2e 63 6f 6d 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e t:.otf.msn.com..Connection 0000034: 3a 20 6b 65 65 70 2d 61 6c 69 76 65 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67 :.keep-alive..Content-Leng 000004E: 74 68 3a 20 35 30 36 36 0d 0a 4f 72 69 67 69 6e 3a 20 68 74 74 70 3a 2f 2f 77 th:.5066..Origin:.http://w 0000068: 77 77 2e 6d 73 6e 2e 63 6f 6d 0d 0a 55 73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f ww.msn.com..User-Agent:.Mo 0000082: 7a 69 6c 6c 61 2f 35 2e 30 20 28 58 31 31 3b 20 4c 69 6e 75 78 20 78 38 36 5f zilla/5.0.(X11;.Linux.x86_ 000009C: 36 34 29 20 41 70 70 6c 65 57 65 62 4b 69 74 2f 35 33 37 2e 33 36 20 28 4b 48 64).AppleWebKit/537.36.(KH 00000B6: 54 4d 4c 2c 20 6c 69 6b 65 20 47 65 63 6b 6f 29 20 43 68 72 6f 6d 65 2f 34 33 TML,.like.Gecko).Chrome/43 00000D0: 2e 30 2e 32 33 35 37 2e 31 33 30 20 53 61 66 61 72 69 2f 35 33 37 2e 33 36 0d .0.2357.130.Safari/537.36. 00000EA: 0a 43 6f 6e 74 65 6e 74 2d 74 79 70 65 3a 20 61 70 70 6c 69 63 61 74 69 6f 6e .Content-type:.application 0000104: 2f 6a 73 6f 6e 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 0d 0a 41 63 63 65 /json;.charset=UTF-8..Acce 000011E: 70 74 3a 20 2a 2f 2a 0d 0a 52 65 66 65 72 65 72 3a 20 68 74 74 70 3a 2f 2f 77 pt:.*/*..Referer:.http://w 0000138: 77 77 2e 6d 73 6e 2e 63 6f 6d 2f 65 6e 2d 69 6e 2f 6e 65 77 73 2f 70 68 6f 74 ww.msn.com/en-in/news/phot<http://ww.msn.com/en-in/news/phot> 0000152: 6f 73 2f 70 69 63 74 75 72 65 73 2d 6f 66 2d 74 68 65 2d 77 65 65 6b 2d 6a 75 os/pictures-of-the-week-ju 000016C: 6c 79 2d 32 34 2d 32 30 31 35 2f 73 73 2d 41 41 64 70 44 66 33 0d 0a 41 63 63 ly-24-2015/ss-AAdpDf3..Acc 0000186: 65 70 74 2d 45 6e 63 6f 64 69 6e 67 3a 20 67 7a 69 70 2c 20 64 65 66 6c 61 74 ept-Encoding:.gzip,.deflat 00001A0: 65 0d 0a 41 63 63 65 70 74 2d 4c 61 6e 67 75 61 67 65 3a 20 65 6e 2d 55 53 2c e..Accept-Language:.en-US, 00001BA: 65 6e 3b 71 3d 30 2e 38 0d 0a 0d 0a en;q=0.8.... Regards, Anshuman Anil Deshmukh | Sr. IS Analyst - Security Cybage Software Pvt. Ltd. (An ISO 27001 company) Phone : 91-20-66041700, 91-20-66044700 (Ext. 6114) Fax: 91-20-66041701 & 66041702 Cell: 91-99230-51641 "Legal Disclaimer: This electronic message and all contents contain information from Cybage Software Private Limited which may be privileged, confidential, or otherwise protected from disclosure. The information is intended to be for the addressee(s) only. If you are not an addressee, any disclosure, copy, distribution, or use of the contents of this message is strictly prohibited. If you have received this electronic message in error please notify the sender by reply e-mail to and destroy the original message and all copies. Cybage has taken every reasonable precaution to minimize the risk of malicious content in the mail, but is not liable for any damage you may sustain as a result of any malicious content in this e-mail. You should carry out your own malicious content checks before opening the e-mail or attachment." www.cybage.com<http://www.cybage.com> ------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! -- [https://docs.google.com/uc?export=download&id=0B7ATpknBcvVQNTVxQ3ZqRUxzVGs&revid=0B7ATpknBcvVQcnJ5TkRaOEJlRnB5azh1N3M0RjB4a2NIOFNnPQ] kangmyounghun.blogspot.kr<http://kangmyounghun.blogspot.kr/> kr.linkedin.com/pub/myounghun-kang/74/238/93a<http://kr.linkedin.com/pub/myounghun-kang/74/238/93a> "Legal Disclaimer: This electronic message and all contents contain information from Cybage Software Private Limited which may be privileged, confidential, or otherwise protected from disclosure. The information is intended to be for the addressee(s) only. If you are not an addressee, any disclosure, copy, distribution, or use of the contents of this message is strictly prohibited. If you have received this electronic message in error please notify the sender by reply e-mail to and destroy the original message and all copies. Cybage has taken every reasonable precaution to minimize the risk of malicious content in the mail, but is not liable for any damage you may sustain as a result of any malicious content in this e-mail. You should carry out your own malicious content checks before opening the e-mail or attachment." www.cybage.com<http://www.cybage.com> "Legal Disclaimer: This electronic message and all contents contain information from Cybage Software Private Limited which may be privileged, confidential, or otherwise protected from disclosure. The information is intended to be for the addressee(s) only. If you are not an addressee, any disclosure, copy, distribution, or use of the contents of this message is strictly prohibited. If you have received this electronic message in error please notify the sender by reply e-mail to and destroy the original message and all copies. Cybage has taken every reasonable precaution to minimize the risk of malicious content in the mail, but is not liable for any damage you may sustain as a result of any malicious content in this e-mail. You should carry out your own malicious content checks before opening the e-mail or attachment." www.cybage.com
------------------------------------------------------------------------------
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- [Signature: MALWARE-OTHER HTTP POST request to a GIF file] Possible false positive Anshuman Anil Deshmukh (Jul 24)
- Re: [Signature: MALWARE-OTHER HTTP POST request to a GIF file] Possible false positive Jeremy Hoel (Jul 24)
- Message not available
- Re: [Signature: MALWARE-OTHER HTTP POST request to a GIF file] Possible false positive Anshuman Anil Deshmukh (Jul 27)
- Re: [Signature: MALWARE-OTHER HTTP POST request to a GIF file] Possible false positive Anshuman Anil Deshmukh (Jul 29)
- Re: [Signature: MALWARE-OTHER HTTP POST request to a GIF file] Possible false positive Joel Esler (jesler) (Jul 29)
- Re: [Signature: MALWARE-OTHER HTTP POST request to a GIF file] Possible false positive Anshuman Anil Deshmukh (Aug 13)
- Re: [Signature: MALWARE-OTHER HTTP POST request to a GIF file] Possible false positive Anshuman Anil Deshmukh (Jul 27)