Rule

--
Sid
24110

--
Summary:
This event is generated when an HTTP POST request is made to a URL indicating that the remote file is an MP3 file.

--
Impact:
Likely obfuscation of malicious data being sent to a command and control server. Image files typically do not accept POST parameters for processing.

--
Detailed Information:
HTTP POST requests are typically reserved for scenarios where a client is sending data to a server for processing, such as a credit card submission form or an email sign-up page. Typical URLs that receive POST requests are for CGI systems of some sort - .cgi, .php, .pl, .aspx, etc. In standards-conformant scenarios, a POST to an audio file would be useless, as the recording has no way of accepting form input and sending appropriate data back out. While some systems will allow for data to be sent along with a request for an audio (so that, for example, a particular portion of the file would be sent back), the remote server is still running some sort of script or logic before serving up the requested archive. 

The Sourcefire VRT has observed thousands of distinct pieces of malware which name the script they use to process command and control channels after a media file in order to evade detection. This rule will fire when a POST is made to an MP3 file, which is one of the common ways to obfuscate command and control channels.
--
Affected Systems:
Any machine sending a request like this is potentially infected, if the remote host appears to be not legitimate.

--
Attack Scenarios:
This will typically be generated by a system which has already been infected with some form of malware.

--
Ease of Attack:
Simple. Exploits exist.

--
False Positives:
None known.

--
False Negatives:
None known.

--
Corrective Action:
Examine the packet for signs that the request is being made to a malicious and/or compromised server. Check for other IDS or other tool events related to the TCP stream in question. Verify patch levels and antimalware solutions, such as FireAMP, on the endpoint host. If malware appears to be present, consider rebuilding the impacted machine.

--
Contributors:
Sourcefire Vulnerability Research Team

--
Additional References:

None. 
--
