<div dir="ltr"><div>Thanks for sharing Liam. Looks like the DHCP sigs will need to be reworked. <br><br></div>Jake<br><div><div><br><br><div class="gmail_extra"><div class="gmail_quote">On Thu, Sep 25, 2014 at 2:11 PM, Liam Randall <span dir="ltr"><<a href="mailto:liam.randall@gigaco.com" target="_blank">liam.randall@gigaco.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">DHCP is out:<div><a href="https://www.trustedsec.com/september-2014/shellshock-dhcp-rce-proof-concept/" target="_blank">https://www.trustedsec.com/september-2014/shellshock-dhcp-rce-proof-concept/</a><br></div><div><br></div><div>Liam</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Sep 25, 2014 at 3:06 PM, Will Metcalf <span dir="ltr"><<a href="mailto:wmetcalf@emergingthreatspro.com" target="_blank">wmetcalf@emergingthreatspro.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div>Collapsing these into a single rule without specific option.<br><br></div>Regards,<br><br>Will<br></div><div class="gmail_extra"><br><div class="gmail_quote"><span>On Wed, Sep 24, 2014 at 4:59 PM, Jake Warren <span dir="ltr"><<a href="mailto:jake.warren@masergy.com" target="_blank">jake.warren@masergy.com</a>></span> wrote:<br></span><div><div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr">Here's my attempt at some rules for the cgi attack vector. Poorly written rules with horrible performance but they do at least catch the initial PoC attacks. :-)<br><div><div class="gmail_extra"><br clear="all"><div><div dir="ltr"><div>alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"Possible CVE-2014-6271 exploit attempt via HTTP headers"; content:"|28|"; http_header; content:"|29|"; http_header; distance:0; within:10; content:"|7b|"; http_header; distance:0; within:10; content:"|3a|"; http_header; distance:0; within:10; content:"|3b|"; http_header; distance:0; within:10; content:"|7d|"; http_header; fast_pattern; distance:0; within:10; content:"|3b|"; http_header; distance:0; within:10; classtype:web-application-attack; reference:cve,2014-6271; sid:xxxx; rev:1;)<br><br>alert tcp $EXTERNAL_NET any -> $HTTP_SERVERS $HTTP_PORTS (msg:"Possible CVE-2014-6271 exploit attempt via HTTP URI"; content:"|28|"; http_uri; content:"|29|"; http_uri; distance:0; within:10; content:"|7b|"; http_uri; distance:0; within:10; content:"|3a|"; http_uri; distance:0; within:10; content:"|3b|"; http_uri; distance:0; within:10; content:"|7d|"; http_uri; fast_pattern; distance:0; within:10; content:"|3b|"; http_uri; distance:0; within:10; classtype:web-application-attack; reference:cve,2014-6271; sid:xxxx; rev:1;)<span><font color="#888888"><br><br></font></span></div><span><font color="#888888"><div>-Jake Warren<br><br></div></font></span></div></div><div><div>
<br><div class="gmail_quote">On Wed, Sep 24, 2014 at 12:54 PM, Darien Huss <span dir="ltr"><<a href="mailto:dhuss@emergingthreats.net" target="_blank">dhuss@emergingthreats.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">Thanks Cooper, we should have something going out today for this.<br><br>Regards,<br>Darien<br></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Sep 24, 2014 at 1:33 PM, Cooper F. Nelson <span dir="ltr"><<a href="mailto:cnelson@ucsd.edu" target="_blank">cnelson@ucsd.edu</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">-----BEGIN PGP SIGNED MESSAGE-----<br>
Hash: SHA1<br>
<br>
This popped up on one of my mailing lists today:<br>
<br>
> <a href="https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/" target="_blank">https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/</a><br>
<br>
This is an example of the exploit code:<br>
<br>
> $ env x='() { :;}; echo vulnerable' bash -c "echo this is a test"<br>
>  vulnerable<br>
>  this is a test<br>
<br>
I'm not sure of what would be the best way to detect this, as its<br>
potentially exploitable via multiple ports/protocols and I suspect<br>
trivial to obfuscate.<br>
<br>
- --<br>
Cooper Nelson<br>
Network Security Analyst<br>
UCSD ACT Security Team<br>
<a href="mailto:cnelson@ucsd.edu" target="_blank">cnelson@ucsd.edu</a> x41042<br>
-----BEGIN PGP SIGNATURE-----<br>
Version: GnuPG v2.0.17 (MingW32)<br>
<br>
iQEcBAEBAgAGBQJUIwBXAAoJEKIFRYQsa8FW3+4H/3qMEZ5MirfKyd21/TyyWXgy<br>
BLiIlNojmmB/xG+vcgjI9efTY+i6+6gE4zPl0ID6EOU89m/oCEcghO9zw09arO3H<br>
YmFeJRZjpIK3iym+FGZMIDvo2F4tt76Oo+58wWxYqkNjYUKWVde6e18wp15hPx/L<br>
Uy1S1Ec3AozhEjNcFgUR6vI7hRz+bmEv5Qa2dLfsiEuWBkJvTw9wYnHYjFgrNMOm<br>
3w6lyJmkOC2R+/A0CD436IbnEg55uSwL6kE0pdGfmx4b9kHpJ9Wauj3lLsUUo/PF<br>
ja0FhmeGhtfjzrSlJXw7mWUKXMujPviYZswzGZWyQknfktFwHLKplM+cz4LBaZQ=<br>
=VV4h<br>
-----END PGP SIGNATURE-----<br>
_______________________________________________<br>
Emerging-sigs mailing list<br>
<a href="mailto:Emerging-sigs@lists.emergingthreats.net" target="_blank">Emerging-sigs@lists.emergingthreats.net</a><br>
<a href="https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs" target="_blank">https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs</a><br>
<br>
Support Emerging Threats! Subscribe to Emerging Threats Pro <a href="http://www.emergingthreats.net" target="_blank">http://www.emergingthreats.net</a><br>
<br>
</blockquote></div><br></div>
<br>_______________________________________________<br>
Emerging-sigs mailing list<br>
<a href="mailto:Emerging-sigs@lists.emergingthreats.net" target="_blank">Emerging-sigs@lists.emergingthreats.net</a><br>
<a href="https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs" target="_blank">https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs</a><br>
<br>
Support Emerging Threats! Subscribe to Emerging Threats Pro <a href="http://www.emergingthreats.net" target="_blank">http://www.emergingthreats.net</a><br>
<br>
<br></blockquote></div><br></div></div></div></div></div>
<br>_______________________________________________<br>
Emerging-sigs mailing list<br>
<a href="mailto:Emerging-sigs@lists.emergingthreats.net" target="_blank">Emerging-sigs@lists.emergingthreats.net</a><br>
<a href="https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs" target="_blank">https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs</a><br>
<br>
Support Emerging Threats! Subscribe to Emerging Threats Pro <a href="http://www.emergingthreats.net" target="_blank">http://www.emergingthreats.net</a><br>
<br>
<br></blockquote></div></div></div><br></div>
<br>_______________________________________________<br>
Emerging-sigs mailing list<br>
<a href="mailto:Emerging-sigs@lists.emergingthreats.net" target="_blank">Emerging-sigs@lists.emergingthreats.net</a><br>
<a href="https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs" target="_blank">https://lists.emergingthreats.net/mailman/listinfo/emerging-sigs</a><br>
<br>
Support Emerging Threats! Subscribe to Emerging Threats Pro <a href="http://www.emergingthreats.net" target="_blank">http://www.emergingthreats.net</a><br>
<br>
<br></blockquote></div><br></div>
</blockquote></div><br></div></div></div></div>