Re: I cannot find the shellshock bug detection rule in the latest community rules from https://www.snort.org

[Teo En Ming <singapore.mr.teo.en.ming () gmail com>]

Dear Snort users,

I have just tested my server for the Shell Shocked GNU Bash remote 
exploit security vulnerability by executing the following command on my 
BASH shell.

|$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

The output is:

||bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test|

My server is NOT vulnerable to the Shellshock security vulnerability. My GNU BASH is version 4.1.2-15. I can sleep easy 
tonight knowing that my server is secure. I don't need to patch GNU BASH on my server any more.
Last time I had to patch my RHEL 7 server for the OpenSSL heartbleed vulnerability.

My Snort NIDS is on standby waiting for people to scan my Apache web server for the Shellshock remote exploit 
vulnerability.

Reference Article:Shell shock: what you need to do NOW about the bash remote exploit vulnerability  
<https://forum.bytemark.co.uk/t/shell-shock-what-you-need-to-do-now-about-the-bash-remote-exploit-vulnerability/2068>

URL: https://forum.bytemark.co.uk/t/shell-shock-what-you-need-to-do-now-about-the-bash-remote-exploit-vulnerability/2068

--
Yours sincerely,

Teo En Ming

Singapore



On 26/09/2014 05:33, Teo En Ming wrote:
> Thank you Joel Esler.
>
> I have found the Shell Shocked security vulnerability detection rules 
> in the latest Snort community rules. There are a total of 4 shellshock 
> security vulnerability detection rules.
>
> My Snort Intrusion Detection System (IDS) is now ready and on standby.
>
> I am worried that my server is high risk to the shellshock security 
> vulnerability. My software vendor has not announced the release of 
> patches to GNU BASH and I cannot patch the server through the normal 
> way "yum update". Doing a "yum update" will update all the software 
> packages on the server and will likely break a lot of things running 
> on the server.
>
> I don't want worms to get past my firewall and hackers to take over my 
> server. I am worried about my Apache HTTP server with its CGI scripts.
>
> What can I do since the GNU bash patches are incomplete and my 
> software vendor hasn't released the shellshock patches?


------------------------------------------------------------------------------
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!