[Emerging-Sigs] Shell command output outbound

Markus Manzke mm at mare-system.de
Mon Sep 29 02:45:05 EDT 2014


would be usefull as a general rule too:

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET
WEB_SERVER /dev/tcp/  INBOUND on HTTP";
flow:to_server,established; content:"/dev/tcp/"; http_header;
sid:XXXXXX; )

alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET
WEB_SERVER /dev/udp/  INBOUND on HTTP";
flow:to_server,established; content:"/dev/tcp/"; http_header;
sid:XXXXXX; )


maybe additional http_* fields, and left out classification

http://security.stackexchange.com/questions/68408/how-does-this-shellshock-scan-work



On 09/26/2014 04:47 PM, Packet Hack wrote:
> Are there sigs for outbound shell command outputs, like the output of /usr/bin/id
> or uname flying out port 80? Might help catching systems vulnerable to Shellshock
> and other exploits. 
> 
> --pckthck
> 
> 
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
> 
> Support Emerging Threats! Subscribe to Emerging Threats Pro http://www.emergingthreats.net
> 


More information about the Emerging-sigs mailing list