Signature Detail

Short Name	HTTP:STC:IMG:NOT-JPEG
Severity	Medium
Recommended	Yes
Recommended Action	Drop
Category	HTTP
Keywords	not jpeg
Release Date	2005/10/28
Update Number	1213
Supported Platforms	idp-4.0+, isg-3.4+, j-series-9.5+, mx-9.4+, srx-9.2+, srx-branch-9.4+, vsrx-12.1+

HTTP: Data is Not JPEG

This anomaly is triggered if a mismatch is detected between the content type "image/jpeg" and the actual data. The JPEG data should start from the pattern "ff d8 ff." Recent malware Command and Control ("C&C") channels use encrypted data with "jpeg" file extensions, but they are not well-formed JPEG files and will be detected by this anomaly.

Extended Description

None

References

URL: http://www.arbornetworks.com/asert/wp-content/uploads/2014/06/ASERT-Threat-Intelligence-Brief-2014-07-Illuminating-Etumbot-APT.pdf
URL: http://labs.alienvault.com/labs/index.php/2013/latest-adobe-pdf-exploit-used-to-target-uyghur-and-tibetan-activists/
URL: http://www.obrador.com/essentialjpeg/headerinfo.htm

Signature Detail

Short Name

Severity

Recommended

Recommended Action

Category

Keywords

Release Date

Update Number

Supported Platforms

HTTP: Data is Not JPEG

Extended Description

References