[Emerging-Sigs] Shell command output outbound

Darien Huss dhuss at emergingthreats.net
Mon Sep 29 11:00:29 EDT 2014


Thanks Markus, we'll get these into QA today!

Regards,
Darien

On Mon, Sep 29, 2014 at 10:51 AM, waldo kitty <wkitty42 at windstream.net>
wrote:

> On 9/29/2014 2:45 AM, Markus Manzke wrote:
>
>>
>> would be usefull as a general rule too:
>>
>> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET
>> WEB_SERVER /dev/tcp/  INBOUND on HTTP";
>> flow:to_server,established; content:"/dev/tcp/"; http_header;
>> sid:XXXXXX; )
>>
>> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET
>> WEB_SERVER /dev/udp/  INBOUND on HTTP";
>> flow:to_server,established; content:"/dev/tcp/"; http_header;
>> sid:XXXXXX; )
>>
>
> this one says udp but looks for tcp...
>
> agreed on the directionality thing, too... yes, i definitely want to know
> if "shellshock" is inbound to my systems but i'd also like to know if it is
> outbound from my systems...
>
> --
>  NOTE: No off-list assistance is given without prior approval.
>        Please *keep mailing list traffic on the list* unless
>        private contact is specifically requested and granted.
>
> _______________________________________________
> Emerging-sigs mailing list
> Emerging-sigs at lists.emergingthreats.net
> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> Support Emerging Threats! Subscribe to Emerging Threats Pro
> http://www.emergingthreats.net
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20140929/16c783cb/attachment-0001.html>


More information about the Emerging-sigs mailing list