[Emerging-Sigs] Shell command output outbound
mm at mare-system.de
Tue Sep 30 04:10:48 EDT 2014
>> alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"ET
>> WEB_SERVER /dev/udp/ INBOUND on HTTP";
>> flow:to_server,established; content:"/dev/tcp/"; http_header;
>> sid:XXXXXX; )
> this one says udp but looks for tcp...
better to have someone look over it :D
> agreed on the directionality thing, too... yes, i definitely want to know if "shellshock" is inbound to
> my systems but i'd also like to know if it is outbound from my systems...
difficult ... i think there are some good rules already that cover the output of cat /etc/passwd
'n' stuff already, thus beeing some generic RCE-sigs that detect common commands inbound
and output outbound, but maybe a good chance to re-check them
More information about the Emerging-sigs