Re: Shellshock Signatures

[Ron Haines <rhaines () grantspassoregon gov>]

Sorry for reposting, but it appears that my text was missing when I checked on the Snort user archives. Not exactly 
sure what the problem was, but trying again with plain text and no signature...


I have been seeing multiple alerts on 1:31977:3 when people visit the Newegg website. This is a community rule and I'm 
thinking this is a false positive. I have found several instances in the websites code where they use a lot of function 
calls that have () { in them. This is how the rule is built for 1:31977, 31978, 31975, and 31976. So far, only the 
31977 has been triggered from Newegg. If it is a false positive, it's not a big deal. I just wanted to run this by the 
group to make sure I don't have to look at something else or contact Newegg about this.

Thanks,

Ron Haines


-----------------------------------------------------------

DISCLOSURE: Messages to and from this E-mail address may be subject to Oregon Public Records Law.
-----------------------------------------------------------

------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!