HTTP: Data is Not JPEG
This anomaly is triggered if a mismatch is detected between the content type "image/jpeg" and the actual data. The JPEG data should start from the pattern "ff d8 ff." Recent malware Command and Control ("C&C") channels use encrypted data with "jpeg" file extensions, but they are not well-formed JPEG files and will be detected by this anomaly.
References
CVE: CVE-2019-5129
URL: http://www.obrador.com/essentialjpeg/headerinfo.htm http://labs.alienvault.com/labs/index.php/2013/latest-adobe-pdf-exploit-used-to-target-uyghur-and-tibetan-activists/ http://www.arbornetworks.com/asert/wp-content/uploads/2014/06/ASERT-Threat-Intelligence-Brief-2014-07-Illuminating-Etumbot-APT.pdf
Short Name
HTTP:STC:IMG:NOT-JPEG
Severity
Minor
Recommended
True
Recommended Action
None
Category
HTTP
Keywords
CVE-2019-5129 jpeg not
Release Date
10/28/2005
Supported Platforms
srx-branch-12.3
srx-19.3
srx-branch-19.3
vsrx3bsd-19.2
srx-branch-19.4
vsrx-19.4
mx-12.3
mx-19.4
vmx-19.4
mx-19.3
vsrx3bsd-19.4
srx-19.4
vsrx-12.3
vmx-19.3
vsrx-19.2
srx-12.3
Sigpack Version
3815
False Positive
Rarely