RSA Admin

Parsing the HTTP ACCEPT Codes

Discussion created by RSA Admin Employee on Oct 1, 2012

I had an unusual request for a use case by a customer last week.  They wanted to be able to identify when a webserver issued an "Accept: Accept: */*" in the request.  I've rarely bothered to look in that line of the HTML request until the customer pointed me to this article which shows how some malware evades detection, or can communicate via these ACCEPT requests-

 

http://blog.lastline.com/post/17789095174/real-world-signature-evasion-by-malware

 

In the blog, they mention the following specific thing to watch for:

POST /Count/Count.asp HTTP/1.1

Accept: Accept: */*

Content-Type: application/x-www-form-urlencoded

User-Agent: MyApp

Host: www.baidu.com

Content-Length: 85

Cache-Control: no-cache

Mac=12-34-56-78-90-12&Os=Windows+XP&Ver=20091107&Key=..

 

So I modified an old parser I had lying around to pull out everything after the "Accept: " line to populate a meta key.

 

I chose to use the meta key of result.code-  its a key that is intended for use with NWFL, but the customer isn't using that feature, and these keys can be used without special modification of the index. 

 

Here is the parser, and I called it "accept.parser"

 

<?xml version="1.0" encoding="utf-8"?>

<parsers xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="parsers.xsd">

                <parser name="ACCEPT" desc="This extracts the ACCEPT code from the Accept http line">

                                <declaration>

                                                <token name="tAccept" value="Accept: " options="linestart" />

                                                <number name="vAcceptPosition" scope="stream" />

                                                <string name="vAccept" scope="stream" />

                                                <meta name="meta" key="result.code" format="Text" />

                                </declaration>

 

 

                                <match name="tAccept">

                                                <find name="vAcceptPosition" value="&#x0d;&#x0a;" length="512">

                                                                <read name="vAccept" length="$vAcceptPosition">

                                                                                <register name="meta" value="$vAccept" />

                                                                </read>

                                                </find>

                                </match>

                </parser>

</parsers>

 

The results in my test data set did show some unusual outliers for analysis-  a good way to capture the rarest nuggets from the results is to run an Informer report looking for the rarest 30 result.codes.

 

47399

 

Feel free to deploy this and if you find anything really cool, be sure to share.

Outcomes