|
|
| Re: Shellshock Vulnerability [message #116337 is a reply to message #116332] |
Thu, 25 September 2014 21:51   |
bhancepdx
Messages: 4
Registered: September 2014
Location: Portland
|
|
|
|
There is a basic Shell shock snort rule out from volexity dot com
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"Volex Possible CVE-2014-6271 bash Vulnerability Requested (header) "; flow:established,to_server; content:"() {"; http_header; threshold:type limit, track by_src, count 1, seconds 120; sid:2014092401;)
I have tested this in KWF by editing snort's used.rules and then verifying that tests from shellshock detectify dot com are ID'd.
This of course is testing for a very basic string and is not a comprehensive rule.
Right now this alert doesn't appear in the SNORT rules being pulled to my kerio and have to be inserted manually. I'm trying to determine when the SNORT rules rolled out to Kerio Firewall will contain a SHELLSHOCK rule
|
|
|
|
| Re: Shellshock Vulnerability [message #116363 is a reply to message #116337] |
Fri, 26 September 2014 20:51 |
bhancepdx
Messages: 4
Registered: September 2014
Location: Portland
|
|
|
|
A second update:
Snort community rules now contain 4 rules for "OS-OTHER Bash CGI environment variable injection attempt"
They are:
drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"OS-OTHER Bash CGI environment variable injection attempt"; flow:to_server,established; content:"%3D%28%29+%7B"; fast_pattern:only; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2014-6271; reference:cve,2014-7169; classtype:web-application-activity; sid:31975; rev:3;)
drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"OS-OTHER Bash CGI environment variable injection attempt"; flow:to_server,established; content:"() {"; fast_pattern:only; http_client_body; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2014-6271; reference:cve,2014-7169; classtype:web-application-activity; sid:31976; rev:3;)
drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"OS-OTHER Bash CGI environment variable injection attempt"; flow:to_server,established; content:"() {"; fast_pattern:only; http_uri; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2014-6271; reference:cve,2014-7169; classtype:web-application-activity; sid:31977; rev:3;)
drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"OS-OTHER Bash CGI environment variable injection attempt"; flow:to_server,established; content:"() {"; fast_pattern:only; http_header; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2014-6271; reference:cve,2014-7169; classtype:web-application-activity; sid:31978; rev:3;)
|
|
|
|
|
|
| Re: Shellshock Vulnerability [message #116365 is a reply to message #116364] |
Fri, 26 September 2014 21:11 |
bhancepdx
Messages: 4
Registered: September 2014
Location: Portland
|
|
|
|
Not that I am aware of, no. My latest update did not contain them.
I'm testing manual edits, and getting around the way Kerio manages its internal link between sort rules and high/medium/low threats by doing this:
1) ID'ing 2 "drop" rules with "high" threat standing -- specifically these
SID:3000001
SID:2019147
2) Deleting the 2 rules with these SID's from the Kerio used.rules file
Adding these two test rules:
drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ShellShock Possible CVE-2014-6271 bash Vulnerability Requested (header) "; flow:established,to_server; content:"%3D%28%29+%7B"; http_header; threshold:type limit, track by_src, count 1, seconds 120; sid:2019147;)
drop tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ShellShock Possible CVE-2014-6271 bash Vulnerability Requested (header) "; flow:established,to_server; content:"() {"; http_header; threshold:type limit, track by_src, count 1, seconds 120; sid:3000001;)
When I do this, and test with shellshock dot brandonpotter dot com, I get these in my security logs:
[26/Sep/2014 12:07:20] IPS: Packet drop, severity: High, Rule ID: 1:3000001 KERIO IPS Test Signature - High Severity, proto:TCP, ip/port:75.127.84.182:55961 (hrtoolbox.com) -> 10.0.41.200:80
[26/Sep/2014 12:09:20] IPS: Packet drop, severity: High, Rule ID: 1:3000001 KERIO IPS Test Signature - High Severity, proto:TCP, ip/port:75.127.84.182:49339 (hrtoolbox.com) -> 10.0.41.200:80
Note that it says "KERIO IPS Test Signature" and not "ShellShock Possible CVE-2014-6271 bash Vulnerability Requested (header)" because I stole SID 3000001 from the "KERIO IPS Test Signature"
I don't recommend doing this. I am just testing, and I am making some assumption
|
|
|
|
|
|
Members
Search
Help
Register
Login
Home
