[Snort-sigs] Questions on Sig 31985

Sam ccie8944 at ...144...
Sat Oct 11 11:07:05 EDT 2014

I am testing the Bash vulnerability with DHCP to a Linux machine. Using dnsmasq, I am setting option 114 in the DHCP response.  The dhcp client gets the address ok.  My environment is a vuln Linux host > Cisco router (providing DHCP forwarding) > Sensor >  DHCP Server.
 I see sig 31985 looks for UDP ports bootpc and bootps, pattern match () { and pattern match 02 01 06 00.   I was not able to get this to fire.
My observations:  The DCHP packets between the forwarding router and DHCP server are exchanged on only the BOOTPS port (67).  I don't see the client port (68) on any of the connection events. Also, I'm not sure what  02 01 06 00 is for.  
When I create my own signature with both ports set to bootps and remove the 02 01 06 00 pattern, the signature fires.
I may not have my exploit set up correctly.  I am using the option 114 string found on several web sites.
Clarification/help is appreciated.
Thanks.  Sam
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20141011/7d53d8fc/attachment.html>

More information about the Snort-sigs mailing list