[Emerging-Sigs] Shell command output outbound

Will Metcalf wmetcalf at emergingthreatspro.com
Fri Sep 26 12:44:36 EDT 2014


ya maybe from $HTTP_SERVERS though?

On Fri, Sep 26, 2014 at 11:13 AM, Jaime Blasco <jaime.blasco at alienvault.com>
wrote:

> Shouldn't we do this one more generic?
>
> alert ip any any -> any any (msg:"GPL ATTACK_RESPONSE id check returned
> root"; content:"uid=0|28|root|29|"; classtype:bad-unknown; sid:2100498;
> rev:7;)
>
> On Fri, Sep 26, 2014 at 9:04 AM, Will Metcalf <
> wmetcalf at emergingthreatspro.com> wrote:
>
>> Nice.. Although i wouldn't limit to HTTP_PORTS or header.. injected shell
>> can be bind or reverse on any port so maybe something like...
>>
>> alert tcp $HTTP_SERVERS any -> $EXTERNAL_NET any (msg:"ET ATTACK_RESPONSE
>> Output of id command from HTTP server"; flow:established; content:"uid=";
>> pcre:"/^\d+[^\r\n\s]+/R"; content:" gid="; within:5;
>> pcre:"/^\d+[^\r\n\s]+/R"; content:" groups="; within:8; sid:4422211; rev:1;
>> classtype:bad-unknown;)
>>
>>
>>
>> On Fri, Sep 26, 2014 at 10:39 AM, Packet Hack <pckthck at gmail.com> wrote:
>>
>>> Here's a QnD attempt:
>>>
>>> alert tcp $HOME_NET $HTTP_PORTS -> $EXTERNAL_NET any (msg:"ET
>>> WEB_SERVER /usr/bin/id command output OUTBOUND on HTTP";
>>> flow:to_server,established; content:"uid"; content:"gid"; distance:0;
>>> content:"groups"; distance:0; pcre:"/uid=\d+\(\S+?\) gid=\d+\(\S+?\)
>>> groups=\d+\(\S+?\)/H";classtype:suspicious-login; sid:9100823; rev:3;)
>>>
>>> --pckthck
>>>
>>> On Fri, Sep 26, 2014 at 11:30 AM, Stefano Ruggiero <S.Ruggiero at lutech.it>
>>> wrote:
>>> > I agree, some attack response will cover this but I think there could
>>> be
>>> > added some more proof of attack successful completed.
>>> >
>>> >
>>> >
>>> > Regards.
>>> >
>>> >
>>> >
>>> > Da: emerging-sigs-bounces at lists.emergingthreats.net
>>> > [mailto:emerging-sigs-bounces at lists.emergingthreats.net] Per conto di
>>> Packet
>>> > Hack
>>> > Inviato: venerdì 26 settembre 2014 16:48
>>> > A: Emerging-sigs at emergingthreats.net
>>> > Oggetto: [Emerging-Sigs] Shell command output outbound
>>> >
>>> >
>>> >
>>> > Are there sigs for outbound shell command outputs, like the output of
>>> > /usr/bin/id
>>> >
>>> > or uname flying out port 80? Might help catching systems vulnerable to
>>> > Shellshock
>>> >
>>> > and other exploits.
>>> >
>>> >
>>> >
>>> > --pckthck
>>> _______________________________________________
>>> Emerging-sigs mailing list
>>> Emerging-sigs at lists.emergingthreats.net
>>> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>>
>>> Support Emerging Threats! Subscribe to Emerging Threats Pro
>>> http://www.emergingthreats.net
>>>
>>>
>>
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at lists.emergingthreats.net
>> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>
>> Support Emerging Threats! Subscribe to Emerging Threats Pro
>> http://www.emergingthreats.net
>>
>>
>>
>
>
> --
> _______________________________
>
> Jaime Blasco
>
> AlienVault Labs Director
>
> www.ossim.com
> labs.alienvault.com
> Email: jaime.blasco at alienvault.com
>
> http://twitter.com/jaimeblascob
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20140926/ef31e885/attachment.html>


More information about the Emerging-sigs mailing list