This is an experimental signature. Many malware packages are now using a gzip'd HTTP POST in order to hide parameters and such from realtime IDS.
Gzipping is a legal POST encoding, but it's very rarely used on a post, moreso on downloads. Generally the post-er has little idea of what the server will accept, and thus generally doesn't do so. And most POSTs aren't large enough to get much benefit from gzip'ing.
is up to test this theory. It's been initially tested on a smalelr scale. Please report false positives!
- 22 Mar 2008