Snort mailing list archives
Re: I cannot find the shellshock bug detection rule in the latest community rules from https://www.snort.org
From: Teo En Ming <singapore.mr.teo.en.ming () gmail com>
Date: Fri, 26 Sep 2014 22:53:51 +0800
Dear Snort users,I tried to test my wireless router for the Shellshock vulnerability. I executed the following command on the shell of my router.
| # env x='() { :;}; echo vulnerable' bash -c "echo this is a test"| I did not get the desired output. Instead I get: env: can't execute 'bash': No such file or directoryIs my router vulnerable to the shellshock bug??? I know my router is using the /bin/sh shell and not the /bin/bash shell.
-- Yours sincerely, Teo En Ming Singapore On 26/09/2014 07:27, Teo En Ming wrote:
Dear Snort users,I have just tested my server using 3 Shellshock Bash Vulnerability Online Checkers. Out of the 3 online checkers, only 1 caused caused Snort IDS to fire off intrusion alerts for the Shellshock Bash vulnerability. The other 2 online checkers did not cause Snort to fire off intrusion alerts for the Shellshock Bash vulnerability.Here are the links for the 3 Shellshock Bash Vulnerability Online Test Tools:(1) http://bashsmash.ccsir.org/ (2) http://shellshock.brandonpotter.com/ (3) http://www.shellshocktest.com/ Reference Article: Shellshock Bash Vulnerability Online Checkers AvailableLink: http://news.softpedia.com/news/Shellshock-Bash-Vulnerability-Online-Checkers-Available-459967.shtmlOnly the Shellshock Bash Vulnerability Online Scanner by Brandon Potter caused Snort to fire off intrusion alerts.Here is the screenshot of the intrusion alerts that fired off on my Snort IDS:http://i59.tinypic.com/2n9m6wj.pngAll 3 Shellshock Bash Vulnerability Online Scanners confirmed that my server is NOT vulnerable.I would think that Sourcefire need to develop new and better detection rules to detect scans by the other 2 online scanners that did not cause Snort to fire off intrusion alerts.-- Yours sincerely, Teo En Ming Singapore On 26/09/2014 05:58, Teo En Ming wrote:Dear Snort users,I have just tested my server for the Shell Shocked GNU Bash remote exploit security vulnerability by executing the following command on my BASH shell.|$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test" The output is: ||bash: warning: x: ignoring function definition attempt bash: error importing function definition for `x' this is a test| My server is NOT vulnerable to the Shellshock security vulnerability. My GNU BASH is version 4.1.2-15. I can sleep easy tonight knowing that my server is secure. I don't need to patch GNU BASH on my server any more. Last time I had to patch my RHEL 7 server for the OpenSSL heartbleed vulnerability. My Snort NIDS is on standby waiting for people to scan my Apache web server for the Shellshock remote exploit vulnerability. Reference Article:Shell shock: what you need to do NOW about the bash remote exploit vulnerability <https://forum.bytemark.co.uk/t/shell-shock-what-you-need-to-do-now-about-the-bash-remote-exploit-vulnerability/2068> URL:https://forum.bytemark.co.uk/t/shell-shock-what-you-need-to-do-now-about-the-bash-remote-exploit-vulnerability/2068 -- Yours sincerely, Teo En Ming Singapore On 26/09/2014 05:33, Teo En Ming wrote:Thank you Joel Esler.I have found the Shell Shocked security vulnerability detection rules in the latest Snort community rules. There are a total of 4 shellshock security vulnerability detection rules.My Snort Intrusion Detection System (IDS) is now ready and on standby.I am worried that my server is high risk to the shellshock security vulnerability. My software vendor has not announced the release of patches to GNU BASH and I cannot patch the server through the normal way "yum update". Doing a "yum update" will update all the software packages on the server and will likely break a lot of things running on the server.I don't want worms to get past my firewall and hackers to take over my server. I am worried about my Apache HTTP server with its CGI scripts.What can I do since the GNU bash patches are incomplete and my software vendor hasn't released the shellshock patches?
------------------------------------------------------------------------------ Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- I cannot find the shellshock bug detection rule in the latest community rules from https://www.snort.org Teo En Ming (Sep 25)
- Re: I cannot find the shellshock bug detection rule in the latest community rules from https://www.snort.org Joel Esler (jesler) (Sep 25)
- Re: I cannot find the shellshock bug detection rule in the latest community rules from https://www.snort.org Teo En Ming (Sep 25)
- Re: I cannot find the shellshock bug detection rule in the latest community rules from https://www.snort.org Teo En Ming (Sep 25)
- Re: I cannot find the shellshock bug detection rule in the latest community rules from https://www.snort.org Teo En Ming (Sep 25)
- Re: I cannot find the shellshock bug detection rule in the latest community rules from https://www.snort.org Jeremy Hoel (Sep 25)
- Re: I cannot find the shellshock bug detection rule in the latest community rules from https://www.snort.org Teo En Ming (Sep 26)
- Re: I cannot find the shellshock bug detection rule in the latest community rules from https://www.snort.org Joel Esler (jesler) (Sep 26)
- Re: I cannot find the shellshock bug detection rule in the latest community rules from https://www.snort.org Teo En Ming (Sep 26)
- Re: I cannot find the shellshock bug detection rule in the latest community rules from https://www.snort.org Joel Esler (jesler) (Sep 26)
- Re: I cannot find the shellshock bug detection rule in the latest community rules from https://www.snort.org Teo En Ming (Sep 25)
- Re: I cannot find the shellshock bug detection rule in the latest community rules from https://www.snort.org Joel Esler (jesler) (Sep 25)