[Snort-users] [Signature: MALWARE-OTHER HTTP POST request to a GIF file] Possible false positive

Anshuman Anil Deshmukh anshuman at ...16510...
Thu Aug 13 06:48:14 EDT 2015


Jeremy,

You said we can modify this rule to exclude msn.com<http://msn.com>. It should be done using configuration in file threshold.conf. Right?


Regards,
Anshuman

From: Joel Esler (jesler) [mailto:jesler at ...589...]
Sent: Wednesday, July 29, 2015 8:21 PM
To: Anshuman Anil Deshmukh
Cc: snort-users at lists.sourceforge.net
Subject: Re: [Snort-users] [Signature: MALWARE-OTHER HTTP POST request to a GIF file] Possible false positive

Well, it’s not a false positive.  The rule is looking for a POST to a Gif file.  That’s exactly what it is.

--
Joel Esler
Manager, Threat Intelligence Team & Open Source
Talos Group
http://www.talosintel.com


On Jul 29, 2015, at 3:37 AM, Anshuman Anil Deshmukh <anshuman at ...16510...<mailto:anshuman at ...16510...>> wrote:

Kindly respond.


Regards,
Anshuman

From: Anshuman Anil Deshmukh [mailto:anshuman at ...16510...]
Sent: Monday, July 27, 2015 2:14 PM
To: snort-users at lists.sourceforge.net<mailto:snort-users at lists.sourceforge.net>
Subject: Re: [Snort-users] [Signature: MALWARE-OTHER HTTP POST request to a GIF file] Possible false positive

Hi,

Here is the rule-

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"MALWARE-OTHER HTTP POST request to a GIF file"; flow:to_server,established; content:"POST"; nocase; http_method; urilen:<50; content:".gif"; nocase; http_uri; content:!"widgetserver.com<http://widgetserver.com/>"; nocase; http_header; pcre:"/\.gif([\?\x5c\x2f]|$)/Usmi"; metadata:service http; reference:url,labs.snort.org/docs/24105.txt<http://labs.snort.org/docs/24105.txt>; classtype:non-standard-protocol; sid:24105; rev:9;)


Regards,
Anshuman

From: 강명훈 [mailto:mhkang589 at ...11827...]
Sent: Friday, July 24, 2015 5:34 PM
To: Anshuman Anil Deshmukh
Subject: Re: [Snort-users] [Signature: MALWARE-OTHER HTTP POST request to a GIF file] Possible false positive

Dear anshuman,

Can you show me the rule?

Best regards.

2015-07-24 19:26 GMT+09:00 Anshuman Anil Deshmukh <anshuman at ...16510...<mailto:anshuman at ...16510...>>:
Hi,

We see lots of alerts with signature “MALWARE-OTHER HTTP POST” request to a GIF file. We believe this is possibly a false positive as all the requests are going to a legitimate website msn.com<http://msn.com/>.

I am positing here the payload data for two of such alerts (One from a Windows system and other from a Linux system).

Kindly check.

Payload for Windows System:
0000000: 50 4f 53 54 20 2f 63 2e 67 69 66 3f 20   48 54 54 50 2f 31 2e 31 0d 0a 41 63 63  POST./c.gif?.HTTP/1.1..Acc
000001A: 65 70 74 3a 20 2a 2f 2a 0d 0a 43 6f 6e   74 65 6e 74 2d 54 79 70 65 3a 20 61 70  ept:.*/*..Content-Type:.ap
0000034: 70 6c 69 63 61 74 69 6f 6e 2f 6a 73 6f   6e 3b 20 63 68 61 72 73 65 74 3d 75 74  plication/json;.charset=ut
000004E: 66 2d 38 0d 0a 52 65 66 65 72 65 72 3a   20 68 74 74 70 3a 2f 2f 77 77 77 2e 6d  f-8..Referer:.http://www.m<http://www.m/>
0000068: 73 6e 2e 63 6f 6d 2f 65 6e 2d 69 6e 2f   3f 6f 63 69 64 3d 69 65 68 70 26 41 52  sn.com/en-in/?ocid=iehp&AR<http://sn.com/en-in/?ocid=iehp&AR>
0000082: 3d 34 0d 0a 41 63 63 65 70 74 2d 4c 61   6e 67 75 61 67 65 3a 20 65 6e 2d 55 53  =4..Accept-Language:.en-US
000009C: 2c 65 6e 3b 71 3d 30 2e 35 0d 0a 4f 72   69 67 69 6e 3a 20 68 74 74 70 3a 2f 2f  ,en;q=0.5..Origin:.http://
00000B6: 77 77 77 2e 6d 73 6e 2e 63 6f 6d 0d 0a   41 63 63 65 70 74 2d 45 6e 63 6f 64 69  www.msn.com..Accept-Encodi<http://www.msn.com..accept-encodi/>
00000D0: 6e 67 3a 20 67 7a 69 70 2c 20 64 65 66   6c 61 74 65 0d 0a 55 73 65 72 2d 41 67  ng:.gzip,.deflate..User-Ag
00000EA: 65 6e 74 3a 20 4d 6f 7a 69 6c 6c 61 2f   35 2e 30 20 28 57 69 6e 64 6f 77 73 20  ent:.Mozilla/5.0.(Windows.
0000104: 4e 54 20 36 2e 33 3b 20 57 4f 57 36 34   3b 20 54 72 69 64 65 6e 74 2f 37 2e 30  NT.6.3;.WOW64;.Trident/7.0
000011E: 3b 20 72 76 3a 31 31 2e 30 29 20 6c 69   6b 65 20 47 65 63 6b 6f 0d 0a 48 6f 73  ;.rv:11.0).like.Gecko..Hos
0000138: 74 3a 20 6f 74 66 2e 6d 73 6e 2e 63 6f   6d 0d 0a 43 6f 6e 74 65 6e 74 2d 4c 65  t:.otf.msn.com<http://otf.msn.com/>..Content-Le
0000152: 6e 67 74 68 3a 20 34 36 37 0d 0a 44 4e   54 3a 20 31 0d 0a 43 6f 6e 6e 65 63 74  ngth:.467..DNT:.1..Connect
000016C: 69 6f 6e 3a 20 4b 65 65 70 2d 41 6c 69   76 65 0d 0a 43 61 63 68 65 2d 43 6f 6e  ion:.Keep-Alive..Cache-Con
0000186: 74 72 6f 6c 3a 20 6e 6f 2d 63 61 63 68   65 0d 0a 0d 0a                          trol:.no-cache....

Payload for Linux System:

0000000: 50 4f 53 54 20 2f 63 2e 67 69 66 3f 20   48 54 54 50 2f 31 2e 31 0d 0a 48 6f 73  POST./c.gif?.HTTP/1.1..Hos

000001A: 74 3a 20 6f 74 66 2e 6d 73 6e 2e 63 6f   6d 0d 0a 43 6f 6e 6e 65 63 74 69 6f 6e  t:.otf.msn.com<http://otf.msn.com/>..Connection

0000034: 3a 20 6b 65 65 70 2d 61 6c 69 76 65 0d   0a 43 6f 6e 74 65 6e 74 2d 4c 65 6e 67  :.keep-alive..Content-Leng

000004E: 74 68 3a 20 35 30 36 36 0d 0a 4f 72 69   67 69 6e 3a 20 68 74 74 70 3a 2f 2f 77  th:.5066..Origin:.http://w<http://w/>

0000068: 77 77 2e 6d 73 6e 2e 63 6f 6d 0d 0a 55   73 65 72 2d 41 67 65 6e 74 3a 20 4d 6f  ww.msn.com<http://ww.msn.com/>..User-Agent:.Mo

0000082: 7a 69 6c 6c 61 2f 35 2e 30 20 28 58 31   31 3b 20 4c 69 6e 75 78 20 78 38 36 5f  zilla/5.0.(X11;.Linux.x86_

000009C: 36 34 29 20 41 70 70 6c 65 57 65 62 4b   69 74 2f 35 33 37 2e 33 36 20 28 4b 48  64).AppleWebKit/537.36.(KH

00000B6: 54 4d 4c 2c 20 6c 69 6b 65 20 47 65 63   6b 6f 29 20 43 68 72 6f 6d 65 2f 34 33  TML,.like.Gecko).Chrome/43

00000D0: 2e 30 2e 32 33 35 37 2e 31 33 30 20 53   61 66 61 72 69 2f 35 33 37 2e 33 36 0d  .0.2357.130.Safari/537.36.

00000EA: 0a 43 6f 6e 74 65 6e 74 2d 74 79 70 65   3a 20 61 70 70 6c 69 63 61 74 69 6f 6e  .Content-type:.application

0000104: 2f 6a 73 6f 6e 3b 20 63 68 61 72 73 65   74 3d 55 54 46 2d 38 0d 0a 41 63 63 65  /json;.charset=UTF-8..Acce

000011E: 70 74 3a 20 2a 2f 2a 0d 0a 52 65 66 65   72 65 72 3a 20 68 74 74 70 3a 2f 2f 77  pt:.*/*..Referer:.http://w<http://w/>

0000138: 77 77 2e 6d 73 6e 2e 63 6f 6d 2f 65 6e   2d 69 6e 2f 6e 65 77 73 2f 70 68 6f 74  ww.msn.com/en-in/news/phot<http://ww.msn.com/en-in/news/phot>

0000152: 6f 73 2f 70 69 63 74 75 72 65 73 2d 6f   66 2d 74 68 65 2d 77 65 65 6b 2d 6a 75  os/pictures-of-the-week-ju

000016C: 6c 79 2d 32 34 2d 32 30 31 35 2f 73 73   2d 41 41 64 70 44 66 33 0d 0a 41 63 63  ly-24-2015/ss-AAdpDf3..Acc

0000186: 65 70 74 2d 45 6e 63 6f 64 69 6e 67 3a   20 67 7a 69 70 2c 20 64 65 66 6c 61 74  ept-Encoding:.gzip,.deflat

00001A0: 65 0d 0a 41 63 63 65 70 74 2d 4c 61 6e   67 75 61 67 65 3a 20 65 6e 2d 55 53 2c  e..Accept-Language:.en-US,

00001BA: 65 6e 3b 71 3d 30 2e 38 0d 0a 0d 0a                                              en;q=0.8....


Regards,
Anshuman Anil Deshmukh | Sr. IS Analyst - Security
Cybage Software Pvt. Ltd. (An ISO 27001 company)
Phone : 91-20-66041700, 91-20-66044700 (Ext. 6114)
Fax: 91-20-66041701 & 66041702
Cell: 91-99230-51641



"Legal Disclaimer: This electronic message and all contents contain information from Cybage Software Private Limited which may be privileged, confidential, or otherwise protected from disclosure. The information is intended to be for the addressee(s) only. If you are not an addressee, any disclosure, copy, distribution, or use of the contents of this message is strictly prohibited. If you have received this electronic message in error please notify the sender by reply e-mail to and destroy the original message and all copies. Cybage has taken every reasonable precaution to minimize the risk of malicious content in the mail, but is not liable for any damage you may sustain as a result of any malicious content in this e-mail. You should carry out your own malicious content checks before opening the e-mail or attachment." www.cybage.com<http://www.cybage.com/>

------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net<mailto:Snort-users at lists.sourceforge.net>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org<http://blog.snort.org/> to stay current on all the latest Snort news!



--
[https://docs.google.com/uc?export=download&id=0B7ATpknBcvVQNTVxQ3ZqRUxzVGs&revid=0B7ATpknBcvVQcnJ5TkRaOEJlRnB5azh1N3M0RjB4a2NIOFNnPQ]
kangmyounghun.blogspot.kr<http://kangmyounghun.blogspot.kr/>
kr.linkedin.com/pub/myounghun-kang/74/238/93a<http://kr.linkedin.com/pub/myounghun-kang/74/238/93a>
"Legal Disclaimer: This electronic message and all contents contain information from Cybage Software Private Limited which may be privileged, confidential, or otherwise protected from disclosure. The information is intended to be for the addressee(s) only. If you are not an addressee, any disclosure, copy, distribution, or use of the contents of this message is strictly prohibited. If you have received this electronic message in error please notify the sender by reply e-mail to and destroy the original message and all copies. Cybage has taken every reasonable precaution to minimize the risk of malicious content in the mail, but is not liable for any damage you may sustain as a result of any malicious content in this e-mail. You should carry out your own malicious content checks before opening the e-mail or attachment." www.cybage.com<http://www.cybage.com/>
"Legal Disclaimer: This electronic message and all contents contain information from Cybage Software Private Limited which may be privileged, confidential, or otherwise protected from disclosure. The information is intended to be for the addressee(s) only. If you are not an addressee, any disclosure, copy, distribution, or use of the contents of this message is strictly prohibited. If you have received this electronic message in error please notify the sender by reply e-mail to and destroy the original message and all copies. Cybage has taken every reasonable precaution to minimize the risk of malicious content in the mail, but is not liable for any damage you may sustain as a result of any malicious content in this e-mail. You should carry out your own malicious content checks before opening the e-mail or attachment." www.cybage.com<http://www.cybage.com/>
------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users at lists.sourceforge.net<mailto:Snort-users at lists.sourceforge.net>
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org<http://blog.snort.org/> to stay current on all the latest Snort news!


"Legal Disclaimer: This electronic message and all contents contain information from Cybage Software Private Limited which may be privileged, confidential, or otherwise protected from disclosure. The information is intended to be for the addressee(s) only. If you are not an addressee, any disclosure, copy, distribution, or use of the contents of this message is strictly prohibited. If you have received this electronic message in error please notify the sender by reply e-mail to and destroy the original message and all copies. Cybage has taken every reasonable precaution to minimize the risk of malicious content in the mail, but is not liable for any damage you may sustain as a result of any malicious content in this e-mail. You should carry out your own malicious content checks before opening the e-mail or attachment." www.cybage.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150813/f632f3b4/attachment.html>


More information about the Snort-users mailing list