Re: I cannot find the shellshock bug detection rule in the latest community rules from https://www.snort.org

[Jeremy Hoel <jthoel () gmail com>]

If you have the pcap of the three attempts, you can compare them to the
rule to see why they didn't fire and then maybe help make changes to the
rule.

On Thu, Sep 25, 2014 at 11:27 PM, Teo En Ming <
singapore.mr.teo.en.ming () gmail com> wrote:

>  Dear Snort users,
>
> I have just tested my server using 3 Shellshock Bash Vulnerability Online
> Checkers. Out of the 3 online checkers, only 1 caused caused Snort IDS to
> fire off intrusion alerts for the Shellshock Bash vulnerability. The other
> 2 online checkers did not cause Snort to fire off intrusion alerts for the
> Shellshock Bash vulnerability.
>
> Here are the links for the 3 Shellshock Bash Vulnerability Online Test
> Tools:
>
> (1) http://bashsmash.ccsir.org/
>
> (2) http://shellshock.brandonpotter.com/
>
> (3) http://www.shellshocktest.com/
>
> Reference Article: Shellshock Bash Vulnerability Online Checkers Available
> Link:
> http://news.softpedia.com/news/Shellshock-Bash-Vulnerability-Online-Checkers-Available-459967.shtml
>
> Only the Shellshock Bash Vulnerability Online Scanner by Brandon Potter
> caused Snort to fire off intrusion alerts.
>
> Here is the screenshot of the intrusion alerts that fired off on my Snort
> IDS:
>
> http://i59.tinypic.com/2n9m6wj.png
>
> All 3 Shellshock Bash Vulnerability Online Scanners confirmed that my
> server is NOT vulnerable.
>
> I would think that Sourcefire need to develop new and better detection
> rules to detect scans by the other 2 online scanners that did not cause
> Snort to fire off intrusion alerts.
>
> --
> Yours sincerely,
>
> Teo En Ming
> Singapore
>
>
>
>
> On 26/09/2014 05:58, Teo En Ming wrote:
>
> Dear Snort users,
>
> I have just tested my server for the Shell Shocked GNU Bash remote exploit
> security vulnerability by executing the following command on my BASH shell.
>
> $ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
>
> The output is:
> bash: warning: x: ignoring function definition attempt
> bash: error importing function definition for `x'
> this is a test
>
> My server is NOT vulnerable to the Shellshock security vulnerability. My GNU BASH is version 4.1.2-15. I can sleep 
> easy tonight knowing that my server is secure. I don't need to patch GNU BASH on my server any more.
> Last time I had to patch my RHEL 7 server for the OpenSSL heartbleed vulnerability.
>
> My Snort NIDS is on standby waiting for people to scan my Apache web server for the Shellshock remote exploit 
> vulnerability.
>
> Reference Article: Shell shock: what you need to do NOW about the bash remote exploit vulnerability 
> <https://forum.bytemark.co.uk/t/shell-shock-what-you-need-to-do-now-about-the-bash-remote-exploit-vulnerability/2068>
>
> URL: 
> https://forum.bytemark.co.uk/t/shell-shock-what-you-need-to-do-now-about-the-bash-remote-exploit-vulnerability/2068
>
> --
> Yours sincerely,
>
> Teo En Ming
>
> Singapore
>
>
>
> On 26/09/2014 05:33, Teo En Ming wrote:
>
> Thank you Joel Esler.
>
> I have found the Shell Shocked security vulnerability detection rules in
> the latest Snort community rules. There are a total of 4 shellshock
> security vulnerability detection rules.
>
> My Snort Intrusion Detection System (IDS) is now ready and on standby.
>
> I am worried that my server is high risk to the shellshock security
> vulnerability. My software vendor has not announced the release of patches
> to GNU BASH and I cannot patch the server through the normal way "yum
> update". Doing a "yum update" will update all the software packages on the
> server and will likely break a lot of things running on the server.
>
> I don't want worms to get past my firewall and hackers to take over my
> server. I am worried about my Apache HTTP server with its CGI scripts.
>
> What can I do since the GNU bash patches are incomplete and my software
> vendor hasn't released the shellshock patches?
>
>
>
>
>
>
>
> ------------------------------------------------------------------------------
> Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
> Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
> Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
> Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
>
> http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
------------------------------------------------------------------------------
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!