[Emerging-Sigs] Shell command output outbound

Packet Hack pckthck at gmail.com
Fri Sep 26 11:39:51 EDT 2014


Here's a QnD attempt:

alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET
WEB_SERVER /usr/bin/id command output OUTBOUND on HTTP";
flow:to_server,established; content:"uid"; content:"gid"; distance:0;
content:"groups"; distance:0; pcre:"/uid=\d+\(\S+?\) gid=\d+\(\S+?\)
groups=\d+\(\S+?\)/H";classtype:suspicious-login; sid:9100823; rev:3;)

--pckthck

On Fri, Sep 26, 2014 at 11:30 AM, Stefano Ruggiero <S.Ruggiero at lutech.it> wrote:
> I agree, some attack response will cover this but I think there could be
> added some more proof of attack successful completed.
>
>
>
> Regards.
>
>
>
> Da: emerging-sigs-bounces at lists.emergingthreats.net
> [mailto:emerging-sigs-bounces at lists.emergingthreats.net] Per conto di Packet
> Hack
> Inviato: venerdì 26 settembre 2014 16:48
> A: Emerging-sigs at emergingthreats.net
> Oggetto: [Emerging-Sigs] Shell command output outbound
>
>
>
> Are there sigs for outbound shell command outputs, like the output of
> /usr/bin/id
>
> or uname flying out port 80? Might help catching systems vulnerable to
> Shellshock
>
> and other exploits.
>
>
>
> --pckthck


More information about the Emerging-sigs mailing list