[Emerging-Sigs] Shell command output outbound

Jaime Blasco jaime.blasco at alienvault.com
Fri Sep 26 12:13:28 EDT 2014


Shouldn't we do this one more generic?

alert ip any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned
root"; content:"uid=0|28|root|29|"; classtype:bad-unknown; sid:2100498;
rev:7;)

On Fri, Sep 26, 2014 at 9:04 AM, Will Metcalf <
wmetcalf at emergingthreatspro.com> wrote:

> Nice.. Although i wouldn't limit to HTTP_PORTS or header.. injected shell
> can be bind or reverse on any port so maybe something like...
>
> alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE
> Output of id command from HTTP server"; flow:established; content:"uid=";
> pcre:"/^\d+[^\r\n\s]+/R"; content:" gid="; within:5;
> pcre:"/^\d+[^\r\n\s]+/R"; content:" groups="; within:8; sid:4422211; rev:1;
> classtype:bad-unknown;)
>
>
>
> On Fri, Sep 26, 2014 at 10:39 AM, Packet Hack <pckthck at gmail.com> wrote:
>
>> Here's a QnD attempt:
>>
>> alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET
>> WEB_SERVER /usr/bin/id command output OUTBOUND on HTTP";
>> flow:to_server,established; content:"uid"; content:"gid"; distance:0;
>> content:"groups"; distance:0; pcre:"/uid=\d+\(\S+?\) gid=\d+\(\S+?\)
>> groups=\d+\(\S+?\)/H";classtype:suspicious-login; sid:9100823; rev:3;)
>>
>> --pckthck
>>
>> On Fri, Sep 26, 2014 at 11:30 AM, Stefano Ruggiero <S.Ruggiero at lutech.it>
>> wrote:
>> > I agree, some attack response will cover this but I think there could be
>> > added some more proof of attack successful completed.
>> >
>> >
>> >
>> > Regards.
>> >
>> >
>> >
>> > Da: emerging-sigs-bounces at lists.emergingthreats.net
>> > [mailto:emerging-sigs-bounces at lists.emergingthreats.net] Per conto di
>> Packet
>> > Hack
>> > Inviato: venerdì 26 settembre 2014 16:48
>> > A: Emerging-sigs at emergingthreats.net
>> > Oggetto: [Emerging-Sigs] Shell command output outbound
>> >
>> >
>> >
>> > Are there sigs for outbound shell command outputs, like the output of
>> > /usr/bin/id
>> >
>> > or uname flying out port 80? Might help catching systems vulnerable to
>> > Shellshock
>> >
>> > and other exploits.
>> >
>> >
>> >
>> > --pckthck
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at lists.emergingthreats.net
>> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>
>> Support Emerging Threats! Subscribe to Emerging Threats Pro
>> http://www.emergingthreats.net
>>
>>
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreats.net
>
>
>


-- 
_______________________________

Jaime Blasco

AlienVault Labs Director

www.ossim.com
labs.alienvault.com
Email: jaime.blasco at alienvault.com

http://twitter.com/jaimeblascob
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20140926/9899f71c/attachment.html>


More information about the Emerging-sigs mailing list