[Emerging-Sigs] Signature for Bash Exploit?

Will Metcalf wmetcalf at emergingthreatspro.com
Fri Sep 26 14:22:44 EDT 2014

Because we got some FP's in testing. That said if you know your web apps
and you never expect this, enable them :) We might modify these a bit today
anding a pcre to anchor against places where bash where env vars might be
populated i.e. chars like [?=\x3a\s\x2f]



On Fri, Sep 26, 2014 at 1:11 PM, waldo kitty <wkitty42 at windstream.net>

> On 9/25/2014 7:56 PM, Francis Trudeau wrote:
>> There was a lot of them created over the past couple days.  They are
>> all in OPEN so they should be widespread.
>> 37 in total went out, with 30 of them being generic url-encode rules
>> that are disabled by default.
> are these disabled by default because they may appear in legitimate web
> pages or because they may FP a lot?
> --
>  NOTE: No off-list assistance is given without prior approval.
>        Please *keep mailing list traffic on the list* unless
>        private contact is specifically requested and granted.
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreats.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20140926/e5e23935/attachment-0001.html>

More information about the Emerging-sigs mailing list