[Emerging-Sigs] Shell command output outbound

Markus Manzke mm at mare-system.de
Tue Sep 30 04:10:48 EDT 2014


>> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET
>> WEB_SERVER /dev/udp/  INBOUND on HTTP";
>> flow:to_server,established; content:"/dev/tcp/"; http_header;
>> sid:XXXXXX; )
> 
> this one says udp but looks for tcp...

better to have someone look over it :D


> 
> agreed on the directionality thing, too... yes, i definitely want to know if "shellshock" is inbound to
> my systems but i'd also like to know if it is outbound from my systems...

difficult ... i think there are some good rules already that cover the output of cat /etc/passwd
'n' stuff already, thus beeing some generic RCE-sigs that detect common commands inbound
and output outbound, but maybe a good chance to re-check them




More information about the Emerging-sigs mailing list