Snort mailing list archives
Re: BASH vulnerability/community.rules
From: waldo kitty <wkitty42 () windstream net>
Date: Fri, 26 Sep 2014 15:41:43 -0400
On 9/26/2014 12:18 PM, Farnsworth, Robert wrote:
I would like to make this as easy as possible, I have used the community.rules in the past with minor adjustments to my old snort.conf file. Is it possible to get the new community.rules file to work with my snort.conf file. Or can I just add the line below to my already existing community.rules file, with maybe a minor adjustment to snort.conf *alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:”ShellShock – Possible CVE-2014-6271 bash Vulnerability Requested (header) “; flow:established,to_server; content:”() {“; http_header; threshold:type limit, track by_src, count 1, seconds 120; sid:2014092401;)*
you should, IMHO, put it in your local.rules so that you can maintain it yourself and remove it later if/when it appears in your normal rules loads... as for having it work with your current snort, you haven't said what version of snort you are running nor have you said what the exact error is that you get when you try to use the rule with your snort version... -- NOTE: No off-list assistance is given without prior approval. Please *keep mailing list traffic on the list* unless private contact is specifically requested and granted. ------------------------------------------------------------------------------ Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- BASH vulnerability/community.rules Farnsworth, Robert (Sep 26)
- Re: BASH vulnerability/community.rules waldo kitty (Sep 26)