[Emerging-Sigs] Shell command output outbound
jaime.blasco at alienvault.com
Fri Sep 26 12:13:28 EDT 2014
Shouldn't we do this one more generic?
alert ip any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned
root"; content:"uid=0|28|root|29|"; classtype:bad-unknown; sid:2100498;
On Fri, Sep 26, 2014 at 9:04 AM, Will Metcalf <
wmetcalf at emergingthreatspro.com> wrote:
> Nice.. Although i wouldn't limit to HTTP_PORTS or header.. injected shell
> can be bind or reverse on any port so maybe something like...
> alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE
> Output of id command from HTTP server"; flow:established; content:"uid=";
> pcre:"/^\d+[^\r\n\s]+/R"; content:" gid="; within:5;
> pcre:"/^\d+[^\r\n\s]+/R"; content:" groups="; within:8; sid:4422211; rev:1;
> On Fri, Sep 26, 2014 at 10:39 AM, Packet Hack <pckthck at gmail.com> wrote:
>> Here's a QnD attempt:
>> alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET
>> WEB_SERVER /usr/bin/id command output OUTBOUND on HTTP";
>> flow:to_server,established; content:"uid"; content:"gid"; distance:0;
>> content:"groups"; distance:0; pcre:"/uid=\d+\(\S+?\) gid=\d+\(\S+?\)
>> groups=\d+\(\S+?\)/H";classtype:suspicious-login; sid:9100823; rev:3;)
>> On Fri, Sep 26, 2014 at 11:30 AM, Stefano Ruggiero <S.Ruggiero at lutech.it>
>> > I agree, some attack response will cover this but I think there could be
>> > added some more proof of attack successful completed.
>> > Regards.
>> > Da: emerging-sigs-bounces at lists.emergingthreats.net
>> > [mailto:emerging-sigs-bounces at lists.emergingthreats.net] Per conto di
>> > Hack
>> > Inviato: venerdì 26 settembre 2014 16:48
>> > A: Emerging-sigs at emergingthreats.net
>> > Oggetto: [Emerging-Sigs] Shell command output outbound
>> > Are there sigs for outbound shell command outputs, like the output of
>> > /usr/bin/id
>> > or uname flying out port 80? Might help catching systems vulnerable to
>> > Shellshock
>> > and other exploits.
>> > --pckthck
>> Emerging-sigs mailing list
>> Emerging-sigs at lists.emergingthreats.net
>> Support Emerging Threats! Subscribe to Emerging Threats Pro
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> Support Emerging Threats! Subscribe to Emerging Threats Pro
AlienVault Labs Director
Email: jaime.blasco at alienvault.com
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Emerging-sigs