Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: BASH vulnerability/community.rules

From: waldo kitty <wkitty42 () windstream net>
Date: Fri, 26 Sep 2014 15:41:43 -0400
On 9/26/2014 12:18 PM, Farnsworth, Robert wrote:

I would like to make this as easy as possible, I have used the community.rules
in the past with minor adjustments to my old snort.conf file.

Is it possible to get the new community.rules file to work with my snort.conf file.

Or can I just add the line below to my already existing community.rules file,
with maybe a minor adjustment to snort.conf

*alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:”ShellShock –
Possible CVE-2014-6271 bash Vulnerability Requested (header) “;
flow:established,to_server; content:”() {“; http_header;  threshold:type limit,
track by_src, count 1, seconds 120; sid:2014092401;)*


you should, IMHO, put it in your local.rules so that you can maintain it 
yourself and remove it later if/when it appears in your normal rules loads...

as for having it work with your current snort, you haven't said what version of 
snort you are running nor have you said what the exact error is that you get 
when you try to use the rule with your snort version...

-- 
  NOTE: No off-list assistance is given without prior approval.
        Please *keep mailing list traffic on the list* unless
        private contact is specifically requested and granted.

------------------------------------------------------------------------------
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: