Re: Snort-users Digest, Vol 101, Issue 41

[Alex McDonnell <amcdonnell () sourcefire com>]

Hi Ron,

 We have observed alerts on newegg's site for our shellshock rules. It
seems that there is some sort of performance tracking that is injecting the
pattern that rule looks for into the URI. At this point, if it is only a
aleatory alert on newegg's site we will not be changing the rule, as it has
yielded nothing but true positives thus far. Any pcap you have and want to
forward along would also be helpful.

Alex McDonnell
TALOS (Formerly VRT)


> Message: 3
> Date: Mon, 27 Oct 2014 21:04:14 +0000
> From: Ron Haines <rhaines () grantspassoregon gov>
> Subject: [Snort-users] Shellshock Signatures
> To: "snort-users () lists sourceforge net"
>         <snort-users () lists sourceforge net>
> Message-ID: <5C428EDCD67FA1469CBAB808D0472B2074069B23@emperor>
> Content-Type: text/plain; charset="us-ascii"
>
> I have been seeing multiple alerts on 1:31977:3 when people visit the
> Newegg website. This is a community rule and I'm thinking this is a false
> positive. I have found several instances in the websites code where they
> use a lot of function calls that have () { in them. This is how the rule is
> built for 1:31977, 31978, 31975, and 31976. So far, only the 31977 has been
> triggered from Newegg. If it is a false positive, it's not a big deal. I
> just wanted to run this by the group to make sure I don't have to look at
> something else or contact Newegg about this.
>
> Thanks,
>
> Ron Haines
> Computer Services Technician
> Information Technology
> Email: rhaines () grantspassoregon gov<blocked::mailto:
> rhaines () grantspassoregon gov>
> Phone: 541.450.6185
> [Signature - Guide]
>
>
> -----------------------------------------------------------
>
> DISCLOSURE: Messages to and from this E-mail address may be subject to
> Oregon Public Records Law.
> -----------------------------------------------------------
> -------------- next part --------------
> An HTML attachment was scrubbed...
> -------------- next part --------------
> A non-text attachment was scrubbed...
> Name: image002.jpg
> Type: image/jpeg
> Size: 5908 bytes
> Desc: image002.jpg
>
> ------------------------------
>
>
> ------------------------------------------------------------------------------
>
>
> ------------------------------
>
> _______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> https://lists.sourceforge.net/lists/listinfo/snort-users
>
>
> End of Snort-users Digest, Vol 101, Issue 41
> ********************************************
------------------------------------------------------------------------------

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!