Re: I cannot find the shellshock bug detection rule in the latest community rules from https://www.snort.org

[Teo En Ming <singapore.mr.teo.en.ming () gmail com>]

Thank you Joel Esler.

I have found the Shell Shocked security vulnerability detection rules in 
the latest Snort community rules. There are a total of 4 shellshock 
security vulnerability detection rules.

My Snort Intrusion Detection System (IDS) is now ready and on standby.

I am worried that my server is high risk to the shellshock security 
vulnerability. My software vendor has not announced the release of 
patches to GNU BASH and I cannot patch the server through the normal way 
"yum update". Doing a "yum update" will update all the software packages 
on the server and will likely break a lot of things running on the server.

I don't want worms to get past my firewall and hackers to take over my 
server. I am worried about my Apache HTTP server with its CGI scripts.

What can I do since the GNU bash patches are incomplete and my software 
vendor hasn't released the shellshock patches?

-- 
Yours sincerely,

Teo En Ming
Singapore



On 26/09/2014 04:57, Joel Esler (jesler) wrote:
> Because “Shellshock” is a creative name for it…  That’s not what the rules are called.
>
> Do a
>
> grep "Bash CGI environment variable injection attempt” community.rules
>
> --
> Joel Esler
> Open Source Manager
> Threat Intelligence Team Lead
> Talos
>
> > On Sep 25, 2014, at 4:24 PM, Teo En Ming <singapore.mr.teo.en.ming () gmail com> wrote:
> >
> > Hi,
> >
> > I have downloaded and installed the latest community rules from the
> > official snort website.
> >
> > But I cannot find any shellshock bug detection rules in the latest
> > community rules.
> >
> > 1) grep shock community.rules
> > Results: Not found
> >
> > 2) grep shell community.rules
> > Results: Too many shellcode results returned
> >
> > 3) grep sheel community.rules
> > Results: Not found. sheelshock is actually a mis-spelling for shellshock
> >
> > Can anybody help me to find the shellshock bug detection rules in the
> > latest community rules?
> >
> > Thank you very much.
> >
> > -- 
> > Yours sincerely,
> >
> > Teo En Ming
> > Singapore
> >
> >
> > ------------------------------------------------------------------------------
> > Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
> > Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
> > Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
> > Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
> > http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest Snort news!


-- 
Yours sincerely,

Teo En Ming


------------------------------------------------------------------------------
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!