[Emerging-Sigs] Shell command output outbound

Will Metcalf wmetcalf at emergingthreatspro.com
Fri Sep 26 12:04:51 EDT 2014


Nice.. Although i wouldn't limit to HTTP_PORTS or header.. injected shell
can be bind or reverse on any port so maybe something like...

alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE
Output of id command from HTTP server"; flow:established; content:"uid=";
pcre:"/^\d+[^\r\n\s]+/R"; content:" gid="; within:5;
pcre:"/^\d+[^\r\n\s]+/R"; content:" groups="; within:8; sid:4422211; rev:1;
classtype:bad-unknown;)



On Fri, Sep 26, 2014 at 10:39 AM, Packet Hack <pckthck at gmail.com> wrote:

> Here's a QnD attempt:
>
> alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET
> WEB_SERVER /usr/bin/id command output OUTBOUND on HTTP";
> flow:to_server,established; content:"uid"; content:"gid"; distance:0;
> content:"groups"; distance:0; pcre:"/uid=\d+\(\S+?\) gid=\d+\(\S+?\)
> groups=\d+\(\S+?\)/H";classtype:suspicious-login; sid:9100823; rev:3;)
>
> --pckthck
>
> On Fri, Sep 26, 2014 at 11:30 AM, Stefano Ruggiero <S.Ruggiero at lutech.it>
> wrote:
> > I agree, some attack response will cover this but I think there could be
> > added some more proof of attack successful completed.
> >
> >
> >
> > Regards.
> >
> >
> >
> > Da: emerging-sigs-bounces at lists.emergingthreats.net
> > [mailto:emerging-sigs-bounces at lists.emergingthreats.net] Per conto di
> Packet
> > Hack
> > Inviato: venerdì 26 settembre 2014 16:48
> > A: Emerging-sigs at emergingthreats.net
> > Oggetto: [Emerging-Sigs] Shell command output outbound
> >
> >
> >
> > Are there sigs for outbound shell command outputs, like the output of
> > /usr/bin/id
> >
> > or uname flying out port 80? Might help catching systems vulnerable to
> > Shellshock
> >
> > and other exploits.
> >
> >
> >
> > --pckthck
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreats.net
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20140926/a9b5c31d/attachment.html>


More information about the Emerging-sigs mailing list