Re: I cannot find the shellshock bug detection rule in the latest community rules from https://www.snort.org

[Teo En Ming <singapore.mr.teo.en.ming () gmail com>]

Dear Joel,

I have tested with all the three online scanners again, and I only 
managed to catch two. I couldn't catch the online scanner from 
http://www.shellshocktest.com/

I think it was my oversight previously. I didn't monitor the intrusion 
alerts on my console carefully enough.

May I ask if new detection rules for the shellshock bug are pushed into 
the latest community rules?

Thank you very much.

--
Yours sincerely,

Teo En Ming
Singapore



On 26/09/2014 23:02, Joel Esler (jesler) wrote:
> We’ve just tested with all three tools, and we catch all three.
>
> --
> *Joel Esler*
> Open Source Manager
> Threat Intelligence Team Lead
> Talos
>
>
> > On Sep 25, 2014, at 7:27 PM, Teo En Ming 
> > <singapore.mr.teo.en.ming () gmail com 
> > <mailto:singapore.mr.teo.en.ming () gmail com>> wrote:
> >
> > Dear Snort users,
> >
> > I have just tested my server using 3 Shellshock Bash Vulnerability 
> > Online Checkers. Out of the 3 online checkers, only 1 caused caused 
> > Snort IDS to fire off intrusion alerts for the Shellshock Bash 
> > vulnerability. The other 2 online checkers did not cause Snort to 
> > fire off intrusion alerts for the Shellshock Bash vulnerability.
> >
> > Here are the links for the 3 Shellshock Bash Vulnerability Online 
> > Test Tools:
> >
> > (1) http://bashsmash.ccsir.org/
> >
> > (2) http://shellshock.brandonpotter.com/
> >
> > (3) http://www.shellshocktest.com/
> >
> > Reference Article: Shellshock Bash Vulnerability Online Checkers 
> > Available
> > Link: 
> > http://news.softpedia.com/news/Shellshock-Bash-Vulnerability-Online-Checkers-Available-459967.shtml
> >
> > Only the Shellshock Bash Vulnerability Online Scanner by Brandon 
> > Potter caused Snort to fire off intrusion alerts.
> >
> > Here is the screenshot of the intrusion alerts that fired off on my 
> > Snort IDS:
> >
> > http://i59.tinypic.com/2n9m6wj.png
> >
> > All 3 Shellshock Bash Vulnerability Online Scanners confirmed that my 
> > server is NOT vulnerable.
> >
> > I would think that Sourcefire need to develop new and better 
> > detection rules to detect scans by the other 2 online scanners that 
> > did not cause Snort to fire off intrusion alerts.
> >
> > --
> > Yours sincerely,
> >
> > Teo En Ming
> > Singapore
> >
> >
> >
> > On 26/09/2014 05:58, Teo En Ming wrote:
> > > Dear Snort users,
> > >
> > > I have just tested my server for the Shell Shocked GNU Bash remote 
> > > exploit security vulnerability by executing the following command on 
> > > my BASH shell.
> > >
> > > |$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
> > >
> > > The output is:
> > >
> > > ||bash: warning: x: ignoring function definition attempt
> > > bash: error importing function definition for `x'
> > > this is a test|
> > >
> > > My server is NOT vulnerable to the Shellshock security vulnerability. My GNU BASH is version 4.1.2-15. I can sleep easy 
> > > tonight knowing that my server is secure. I don't need to patch GNU BASH on my server any more.
> > > Last time I had to patch my RHEL 7 server for the OpenSSL heartbleed vulnerability.
> > >
> > > My Snort NIDS is on standby waiting for people to scan my Apache web server for the Shellshock remote exploit 
> > > vulnerability.
> > >
> > > Reference Article:Shell shock: what you need to do NOW about the bash remote exploit vulnerability  
> > > <https://forum.bytemark.co.uk/t/shell-shock-what-you-need-to-do-now-about-the-bash-remote-exploit-vulnerability/2068>
> > >
> > > URL:https://forum.bytemark.co.uk/t/shell-shock-what-you-need-to-do-now-about-the-bash-remote-exploit-vulnerability/2068
> > >
> > > --
> > > Yours sincerely,
> > >
> > > Teo En Ming
> > >
> > > Singapore
> > >
> > >
> > > On 26/09/2014 05:33, Teo En Ming wrote:
> > > > Thank you Joel Esler.
> > > >
> > > > I have found the Shell Shocked security vulnerability detection 
> > > > rules in the latest Snort community rules. There are a total of 4 
> > > > shellshock security vulnerability detection rules.
> > > >
> > > > My Snort Intrusion Detection System (IDS) is now ready and on standby.
> > > >
> > > > I am worried that my server is high risk to the shellshock security 
> > > > vulnerability. My software vendor has not announced the release of 
> > > > patches to GNU BASH and I cannot patch the server through the 
> > > > normal way "yum update". Doing a "yum update" will update all the 
> > > > software packages on the server and will likely break a lot of 
> > > > things running on the server.
> > > >
> > > > I don't want worms to get past my firewall and hackers to take over 
> > > > my server. I am worried about my Apache HTTP server with its CGI 
> > > > scripts.
> > > >
> > > > What can I do since the GNU bash patches are incomplete and my 
> > > > software vendor hasn't released the shellshock patches?


------------------------------------------------------------------------------
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!