Re: Interesting article

["Rodrigo Montoro(Sp0oKeR)" <spooker () gmail com>]

I did a research 2 years ago about mostly this blogpost. I did a
presentation at SecTor 2011.

HTTP Header Hunter - Looking for malicious behavior into your http header
traffic - Rodrigo Montoro

Most malware uses HTTP/HTTPS to call home or install other parts of a
malicious action. Since thousands and thousands of samples appear daily, it
is almost impossible to create signatures to dectect all malicious
activities.

Based on this problem, we started to analyze common headers and behaviors
for malicious connections based on Spiderlabs research analysis and lot of
packet captures from various sources. With that info, we scored each header
in an HTTP request and based that score on the frequency that it appears,
blacklisting, and a few other tricks.

Our goal with this initial presentation and PoC is to show that we can
score HTTP headers as a way to find malicious activity in HTTP/HTTPS
traffic.

http://www.esecurityplanet.com/news/looking-for-malicious-traffic-in-http-headers.html

Pretty hard to create snort rules for that without FPs.



On Fri, Oct 25, 2013 at 12:25 PM, James Lay <jlay () slave-tothe-box net>wrote:

> http://blogs.mcafee.com/mcafee-labs/periodic-links-to-control-server-offer-new-way-to-detect-botnets
>
> Wonder if this is something to think about sigging....
>
> James
>
>
> ------------------------------------------------------------------------------
> October Webinars: Code for Performance
> Free Intel webinars can help you accelerate application performance.
> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most
> from
> the latest Intel processors and coprocessors. See abstracts and register >
> http://pubads.g.doubleclick.net/gampad/clk?id=60135991&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs () lists sourceforge net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!



-- 
Rodrigo Montoro (Sp0oKeR)
http://spookerlabs.blogspot.com
http://www.twitter.com/spookerlabs
http://www.linkedin.com/in/spooker

------------------------------------------------------------------------------
Android is increasing in popularity, but the open development platform that
developers love is also attractive to malware creators. Download this white
paper to learn more about secure code signing practices that can help keep
Android apps secure.
http://pubads.g.doubleclick.net/gampad/clk?id=65839951&iu=/4140/ostg.clktrk

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!