Re: I cannot find the shellshock bug detection rule in the latest community rules from https://www.snort.org

["Joel Esler (jesler)" <jesler () cisco com>]

We’ve just tested with all three tools, and we catch all three.

--
Joel Esler
Open Source Manager
Threat Intelligence Team Lead
Talos


On Sep 25, 2014, at 7:27 PM, Teo En Ming <singapore.mr.teo.en.ming () gmail com<mailto:singapore.mr.teo.en.ming () 
gmail com>> wrote:

Dear Snort users,

I have just tested my server using 3 Shellshock Bash Vulnerability Online Checkers. Out of the 3 online checkers, only 
1 caused caused Snort IDS to fire off intrusion alerts for the Shellshock Bash vulnerability. The other 2 online 
checkers did not cause Snort to fire off intrusion alerts for the Shellshock Bash vulnerability.

Here are the links for the 3 Shellshock Bash Vulnerability Online Test Tools:

(1) http://bashsmash.ccsir.org/

(2) http://shellshock.brandonpotter.com/

(3) http://www.shellshocktest.com/

Reference Article: Shellshock Bash Vulnerability Online Checkers Available
Link: http://news.softpedia.com/news/Shellshock-Bash-Vulnerability-Online-Checkers-Available-459967.shtml

Only the Shellshock Bash Vulnerability Online Scanner by Brandon Potter caused Snort to fire off intrusion alerts.

Here is the screenshot of the intrusion alerts that fired off on my Snort IDS:

http://i59.tinypic.com/2n9m6wj.png

All 3 Shellshock Bash Vulnerability Online Scanners confirmed that my server is NOT vulnerable.

I would think that Sourcefire need to develop new and better detection rules to detect scans by the other 2 online 
scanners that did not cause Snort to fire off intrusion alerts.


--
Yours sincerely,

Teo En Ming
Singapore




On 26/09/2014 05:58, Teo En Ming wrote:
Dear Snort users,

I have just tested my server for the Shell Shocked GNU Bash remote exploit security vulnerability by executing the 
following command on my BASH shell.


$ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"

The output is:

bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
this is a test

My server is NOT vulnerable to the Shellshock security vulnerability. My GNU BASH is version 4.1.2-15. I can sleep easy 
tonight knowing that my server is secure. I don't need to patch GNU BASH on my server any more.
Last time I had to patch my RHEL 7 server for the OpenSSL heartbleed vulnerability.

My Snort NIDS is on standby waiting for people to scan my Apache web server for the Shellshock remote exploit 
vulnerability.

Reference Article: Shell shock: what you need to do NOW about the bash remote exploit 
vulnerability<https://forum.bytemark.co.uk/t/shell-shock-what-you-need-to-do-now-about-the-bash-remote-exploit-vulnerability/2068>

URL: https://forum.bytemark.co.uk/t/shell-shock-what-you-need-to-do-now-about-the-bash-remote-exploit-vulnerability/2068

--
Yours sincerely,

Teo En Ming

Singapore



On 26/09/2014 05:33, Teo En Ming wrote:
Thank you Joel Esler.

I have found the Shell Shocked security vulnerability detection rules in the latest Snort community rules. There are a 
total of 4 shellshock security vulnerability detection rules.

My Snort Intrusion Detection System (IDS) is now ready and on standby.

I am worried that my server is high risk to the shellshock security vulnerability. My software vendor has not announced 
the release of patches to GNU BASH and I cannot patch the server through the normal way "yum update". Doing a "yum 
update" will update all the software packages on the server and will likely break a lot of things running on the server.

I don't want worms to get past my firewall and hackers to take over my server. I am worried about my Apache HTTP server 
with its CGI scripts.

What can I do since the GNU bash patches are incomplete and my software vendor hasn't released the shellshock patches?






------------------------------------------------------------------------------
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!