Skip to content
This repository has been archived by the owner on Nov 20, 2021. It is now read-only.

slightly more permissive regex and initial attempt at connect-back detec... #1

Open
wants to merge 6 commits into
base: master
Choose a base branch
from
Open

slightly more permissive regex and initial attempt at connect-back detec... #1

Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
fdfac59
slightly more permissive regex and initial attempt at connect-back de…
sooshie Sep 25, 2014
37693e1
added URI detection
sooshie Sep 25, 2014
6f2b46a
fixed some bad ideas
sooshie Sep 25, 2014
8fe0496
fixed bug in uri portion
sooshie Sep 26, 2014
3093d84
fixed the regex after doing some actual testing vs. being lazy
sooshie Sep 26, 2014
23531ce
back to the original regex because I'm going crazy
sooshie Sep 26, 2014
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
37 changes: 36 additions & 1 deletion bash-cve-2014-6271/bash-cve-2014-6271.bro
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,22 +6,26 @@
# CHANGES:
# 2014-9-24 Initial support for http header vector via mod_cgi
# 2014-9-25 Added support for ignoring subnets to subnets
# 2014-9-25 Slightly more permissive regex and added connect-back detection, as well as URI detection

module Bash;

export {
redef enum Notice::Type += {
## Indicates that a host may have attempted a bash cgi header attack
HTTP_Header_Attack,
HTTP_URI_Attack,
Connect_Back,
};

# exclude hosts or entire networks from being tracked as potential "scanners".
# index is conneciton subnet originators, yield is connection subnet responders
const ignore_scanners: table[subnet] of subnet &redef;


}

global shellshock_hosts: set[addr] &create_expire=10min &synchronized;

event http_header(c: connection, is_orig: bool, name: string, value: string) &priority=3
{

Expand All @@ -37,7 +41,38 @@ event http_header(c: connection, is_orig: bool, name: string, value: string) &pr
$conn=c,
$msg=fmt("%s may have attempted to exploit CVE-2014-6271, bash environment variable attack, via HTTP mod_cgi header against %s submitting \"%s\"=\"%s\"",c$id$orig_h, c$id$resp_h, name, value),
$identifier=c$uid]);
add shellshock_hosts[c$id$resp_h];
}
}

}

event http_request(c: connection, method: string, original_URI: string, unescaped_URI: string, version: string)
{
if ( c$id$orig_h in ignore_scanners && c$id$resp_h in ignore_scanners[c$id$orig_h] )
return;
if ( /\x28\x29\x20\x7b\x20/ in unescaped_URI)
{
NOTICE([$note=Bash::HTTP_URI_Attack,
$conn=c,
$msg=fmt("%s may have attempted to exploit CVE-2014-6271, bash environment variable attack, via HTTP mod_cgi URL against %s", c$id$orig_h, c$id$resp_h),
$identifier=c$uid]);
add shellshock_hosts[c$id$resp_h];
}
}

event Conn::log_conn(rec: Conn::Info)
{
if ( rec$id$resp_h in shellshock_hosts && rec$id$resp_h == rec$id$orig_h )
{
local c: connection;
local cid: conn_id;
c$id = cid;
c$uid = rec$uid;
c$id$orig_h = rec$id$orig_h;
c$id$resp_h = rec$id$resp_h;
c$id$resp_p = rec$id$resp_p;
NOTICE([$note=Bash::Connect_Back, $msg=fmt("Possible connect back from detected CVE-2014-6271 exploit(%s)", rec$id$resp_h),
$conn=c]);
}
}