<div dir="ltr">We should have these rolled out shortly. went with the following. Regex is to reduce FP's we had during testing.<br><br>alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in URI"; flow:established,to_server; content:"|28 29 20 7b 20|"; http_uri; fast_pattern:only; pcre:"/[=?&\x2f]\s*?\x28\x29\x20\x7b\x20/U"; sid:2019231; rev:1; classtype:attempted-admin; reference:url,<a href="http://blogs.akamai.com/2014/09/environment-bashing.html">blogs.akamai.com/2014/09/environment-bashing.html</a>;)<br><br>alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in Headers"; flow:established,to_server; content:"|28 29 20 7b 20|"; http_header; fast_pattern:only; sid:2019232; rev:1; classtype:attempted-admin; reference:url,<a href="http://blogs.akamai.com/2014/09/environment-bashing.html">blogs.akamai.com/2014/09/environment-bashing.html</a>;)<br><br>alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"ET WEB_SERVER Possible CVE-2014-6271 Attempt in Client Body"; flow:established,to_server; content:"|28 29 20 7b 20|"; http_client_body; fast_pattern:only; pcre:"/(?:^|[=?&])\s*?\x28\x29\x20\x7b\x20/P"; sid:2019233; rev:1; classtype:attempted-admin; reference:url,<a href="http://blogs.akamai.com/2014/09/environment-bashing.html">blogs.akamai.com/2014/09/environment-bashing.html</a>;)<br><br></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Sep 24, 2014 at 4:59 PM, Jake Warren <span dir="ltr"><<a href="mailto:jake.warren@masergy.com" target="_blank">jake.warren@masergy.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Here's my attempt at some rules for the cgi attack vector. Poorly written rules with horrible performance but they do at least catch the initial PoC attacks. :-)<br><div><div class="gmail_extra"><br clear="all"><div><div dir="ltr"><div>alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"Possible CVE-2014-6271 exploit attempt via HTTP headers"; content:"|28|"; http_header; content:"|29|"; http_header; distance:0; within:10; content:"|7b|"; http_header; distance:0; within:10; content:"|3a|"; http_header; distance:0; within:10; content:"|3b|"; http_header; distance:0; within:10; content:"|7d|"; http_header; fast_pattern; distance:0; within:10; content:"|3b|"; http_header; distance:0; within:10; classtype:web-application-attack; reference:cve,2014-6271; sid:xxxx; rev:1;)<br><br>alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"Possible CVE-2014-6271 exploit attempt via HTTP URI"; content:"|28|"; http_uri; content:"|29|"; http_uri; distance:0; within:10; content:"|7b|"; http_uri; distance:0; within:10; content:"|3a|"; http_uri; distance:0; within:10; content:"|3b|"; http_uri; distance:0; within:10; content:"|7d|"; http_uri; fast_pattern; distance:0; within:10; content:"|3b|"; http_uri; distance:0; within:10; classtype:web-application-attack; reference:cve,2014-6271; sid:xxxx; rev:1;)<span class="HOEnZb"><font color="#888888"><br><br></font></span></div><span class="HOEnZb"><font color="#888888"><div>-Jake Warren<br><br></div></font></span></div></div><div><div class="h5">
<br><div class="gmail_quote">On Wed, Sep 24, 2014 at 12:54 PM, Darien Huss <span dir="ltr"><<a href="mailto:dhuss@emergingthreats.net" target="_blank">dhuss@emergingthreats.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">Thanks Cooper, we should have something going out today for this.<br><br>Regards,<br>Darien<br></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Sep 24, 2014 at 1:33 PM, Cooper F. Nelson <span dir="ltr"><<a href="mailto:cnelson@ucsd.edu" target="_blank">cnelson@ucsd.edu</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">-----BEGIN PGP SIGNED MESSAGE-----<br>
Hash: SHA1<br>
<br>
This popped up on one of my mailing lists today:<br>
<br>
> <a href="https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/" target="_blank">https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/</a><br>
<br>
This is an example of the exploit code:<br>
<br>
> $ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"<br>
>  vulnerable<br>
>  this is a test<br>
<br>
I'm not sure of what would be the best way to detect this, as its<br>
potentially exploitable via multiple ports/protocols and I suspect<br>
trivial to obfuscate.<br>
<br>
- --<br>
Cooper Nelson<br>
Network Security Analyst<br>
UCSD ACT Security Team<br>
<a href="mailto:cnelson@ucsd.edu" target="_blank">cnelson@ucsd.edu</a> x41042<br>
-----BEGIN PGP SIGNATURE-----<br>
Version: GnuPG v2.0.17 (MingW32)<br>
<br>
iQEcBAEBAgAGBQJUIwBXAAoJEKIFRYQsa8FW3+4H/3qMEZ5MirfKyd21/TyyWXgy<br>
BLiIlNojmmB/xG+vcgjI9efTY+i6+6gE4zPl0ID6EOU89m/oCEcghO9zw09arO3H<br>
YmFeJRZjpIK3iym+FGZMIDvo2F4tt76Oo+58wWxYqkNjYUKWVde6e18wp15hPx/L<br>
Uy1S1Ec3AozhEjNcFgUR6vI7hRz+bmEv5Qa2dLfsiEuWBkJvTw9wYnHYjFgrNMOm<br>
3w6lyJmkOC2R+/A0CD436IbnEg55uSwL6kE0pdGfmx4b9kHpJ9Wauj3lLsUUo/PF<br>
ja0FhmeGhtfjzrSlJXw7mWUKXMujPviYZswzGZWyQknfktFwHLKplM+cz4LBaZQ=<br>
=VV4h<br>
-----END PGP SIGNATURE-----<br>
_______________________________________________<br>
Emerging-sigs mailing list<br>
<a href="mailto:Emerging-sigs@lists.emergingthreats.net" target="_blank">Emerging-sigs@lists.emergingthreats.net</a><br>
<a href="https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs" target="_blank">https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs</a><br>
<br>
Support Emerging Threats! Subscribe to Emerging Threats Pro <a href="http://www.emergingthreats.net" target="_blank">http://www.emergingthreats.net</a><br>
<br>
</blockquote></div><br></div>
<br>_______________________________________________<br>
Emerging-sigs mailing list<br>
<a href="mailto:Emerging-sigs@lists.emergingthreats.net" target="_blank">Emerging-sigs@lists.emergingthreats.net</a><br>
<a href="https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs" target="_blank">https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs</a><br>
<br>
Support Emerging Threats! Subscribe to Emerging Threats Pro <a href="http://www.emergingthreats.net" target="_blank">http://www.emergingthreats.net</a><br>
<br>
<br></blockquote></div><br></div></div></div></div></div>
<br>_______________________________________________<br>
Emerging-sigs mailing list<br>
<a href="mailto:Emerging-sigs@lists.emergingthreats.net">Emerging-sigs@lists.emergingthreats.net</a><br>
<a href="https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs" target="_blank">https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs</a><br>
<br>
Support Emerging Threats! Subscribe to Emerging Threats Pro <a href="http://www.emergingthreats.net" target="_blank">http://www.emergingthreats.net</a><br>
<br>
<br></blockquote></div><br></div>