[Snort-users] ShellShock Signatures

Colin Edwards colin.p.edwards at ...11827...
Mon Mar 2 21:54:33 EST 2015

Hello Snort Users,

I'm a new list member, and happy to say that I've been working with
Firesight and a couple of ASA-X Firepower modules for almost a week now.
This is my first time hands-on w/ an IPS/IDS.  I'm here because I found
this message from this list while researching an alert:
http://sourceforge.net/p/snort/mailman/message/32980285/ .  I had a user
viewing a newspaper's website today, and I received an alert for 1:31977.
I actually wasn't familiar with the domain name, and just searching for the
domain I saw in the alert in Google also generated an alert from my
workstation (I assume something to do with Google pulling news/images to
display in the results?).  The URI from the request does have "() {" in it,
so that's why it was triggered, but I don't know if it's a False Positive
alert.  The website was for the Sacramento Bee (www.sacbee.com).  I can
provide more detail from the pcap / URI when I'm back in the office

While I'm introducing myself as a snort newbie...If anyone has any
recommendations for other resources or reading material, feel free to
message me off-list.

Colin Edwards
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150302/9207d4c7/attachment.html>

More information about the Snort-users mailing list