[Emerging-Sigs] Shell command output outbound

Darien Huss dhuss at emergingthreats.net
Mon Sep 29 11:40:26 EDT 2014


2019285 should cover the /dev/tcp/ sig.

Regards,
Darien

On Mon, Sep 29, 2014 at 11:00 AM, Darien Huss <dhuss at emergingthreats.net>
wrote:

> Thanks Markus, we'll get these into QA today!
>
> Regards,
> Darien
>
> On Mon, Sep 29, 2014 at 10:51 AM, waldo kitty <wkitty42 at windstream.net>
> wrote:
>
>> On 9/29/2014 2:45 AM, Markus Manzke wrote:
>>
>>>
>>> would be usefull as a general rule too:
>>>
>>> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET
>>> WEB_SERVER /dev/tcp/  INBOUND on HTTP";
>>> flow:to_server,established; content:"/dev/tcp/"; http_header;
>>> sid:XXXXXX; )
>>>
>>> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET
>>> WEB_SERVER /dev/udp/  INBOUND on HTTP";
>>> flow:to_server,established; content:"/dev/tcp/"; http_header;
>>> sid:XXXXXX; )
>>>
>>
>> this one says udp but looks for tcp...
>>
>> agreed on the directionality thing, too... yes, i definitely want to know
>> if "shellshock" is inbound to my systems but i'd also like to know if it is
>> outbound from my systems...
>>
>> --
>>  NOTE: No off-list assistance is given without prior approval.
>>        Please *keep mailing list traffic on the list* unless
>>        private contact is specifically requested and granted.
>>
>> _______________________________________________
>> Emerging-sigs mailing list
>> Emerging-sigs at lists.emergingthreats.net
>> https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>>
>> Support Emerging Threats! Subscribe to Emerging Threats Pro
>> http://www.emergingthreats.net
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20140929/aee66bfb/attachment.html>


More information about the Emerging-sigs mailing list