[Emerging-Sigs] Shell command output outbound

waldo kitty wkitty42 at windstream.net
Mon Sep 29 10:51:33 EDT 2014


On 9/29/2014 2:45 AM, Markus Manzke wrote:
>
> would be usefull as a general rule too:
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET
> WEB_SERVER /dev/tcp/  INBOUND on HTTP";
> flow:to_server,established; content:"/dev/tcp/"; http_header;
> sid:XXXXXX; )
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET
> WEB_SERVER /dev/udp/  INBOUND on HTTP";
> flow:to_server,established; content:"/dev/tcp/"; http_header;
> sid:XXXXXX; )

this one says udp but looks for tcp...

agreed on the directionality thing, too... yes, i definitely want to know if 
"shellshock" is inbound to my systems but i'd also like to know if it is 
outbound from my systems...

-- 
  NOTE: No off-list assistance is given without prior approval.
        Please *keep mailing list traffic on the list* unless
        private contact is specifically requested and granted.


More information about the Emerging-sigs mailing list