[Snort-sigs] Interesting article

Rodrigo Montoro(Sp0oKeR) spooker at ...2420...
Mon Oct 28 15:14:54 EDT 2013

I did a research 2 years ago about mostly this blogpost. I did a
presentation at SecTor 2011.

HTTP Header Hunter - Looking for malicious behavior into your http header
traffic - Rodrigo Montoro

Most malware uses HTTP/HTTPS to call home or install other parts of a
malicious action. Since thousands and thousands of samples appear daily, it
is almost impossible to create signatures to dectect all malicious

Based on this problem, we started to analyze common headers and behaviors
for malicious connections based on Spiderlabs research analysis and lot of
packet captures from various sources. With that info, we scored each header
in an HTTP request and based that score on the frequency that it appears,
blacklisting, and a few other tricks.

Our goal with this initial presentation and PoC is to show that we can
score HTTP headers as a way to find malicious activity in HTTP/HTTPS


Pretty hard to create snort rules for that without FPs.

On Fri, Oct 25, 2013 at 12:25 PM, James Lay <jlay at ...3266...>wrote:

> http://blogs.mcafee.com/mcafee-labs/periodic-links-to-control-server-offer-new-way-to-detect-botnets
> Wonder if this is something to think about sigging....
> James
> ------------------------------------------------------------------------------
> October Webinars: Code for Performance
> Free Intel webinars can help you accelerate application performance.
> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most
> from
> the latest Intel processors and coprocessors. See abstracts and register >
> http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
> Please visit http://blog.snort.org for the latest news about Snort!

Rodrigo Montoro (Sp0oKeR)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20131028/a5393a2f/attachment.html>

More information about the Snort-sigs mailing list