Snort mailing list archives
Re: Shellshock Signatures
From: Ron Haines <rhaines () grantspassoregon gov>
Date: Wed, 29 Oct 2014 18:13:09 +0000
Sorry for reposting, but it appears that my text was missing when I checked on the Snort user archives. Not exactly sure what the problem was, but trying again with plain text and no signature... I have been seeing multiple alerts on 1:31977:3 when people visit the Newegg website. This is a community rule and I'm thinking this is a false positive. I have found several instances in the websites code where they use a lot of function calls that have () { in them. This is how the rule is built for 1:31977, 31978, 31975, and 31976. So far, only the 31977 has been triggered from Newegg. If it is a false positive, it's not a big deal. I just wanted to run this by the group to make sure I don't have to look at something else or contact Newegg about this. Thanks, Ron Haines ----------------------------------------------------------- DISCLOSURE: Messages to and from this E-mail address may be subject to Oregon Public Records Law. ----------------------------------------------------------- ------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Shellshock Signatures Ron Haines (Oct 27)
- <Possible follow-ups>
- Re: Shellshock Signatures Ron Haines (Oct 29)