EditAttachPrintable
r1 - 22 Mar 2008 - 21:43:58 - MattJonkmanYou are here: TWiki >  Main Web > GzipdPOST

Gzip'd POSTS

This is an experimental signature. Many malware packages are now using a gzip'd HTTP POST in order to hide parameters and such from realtime IDS.

Gzipping is a legal POST encoding, but it's very rarely used on a post, moreso on downloads. Generally the post-er has little idea of what the server will accept, and thus generally doesn't do so. And most POSTs aren't large enough to get much benefit from gzip'ing.

2008045 is up to test this theory. It's been initially tested on a smalelr scale. Please report false positives!

-- MattJonkman - 22 Mar 2008

Edit | Attach | Printable | Raw View | Backlinks: Web, All Webs | History: r1 | More topic actions
 
Emerging Threats
This site is powered by the TWiki collaboration platformCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback