Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fixed 0245-apache and 0250-web rules for Shellshock detection #115

Merged
merged 4 commits into from
May 14, 2018
Merged

Fixed 0245-apache and 0250-web rules for Shellshock detection #115

merged 4 commits into from
May 14, 2018

Conversation

frgv
Copy link
Contributor

@frgv frgv commented Mar 23, 2018

This PR fixes Shellshock detection on Web rules (0245 and 250). Now it can detect more malicious patterns, as suggested in #80, avoiding false negatives.

192.168.2.100 - - [02/Nov/2015:01:35:55 +0100] "GET /cgi-bin/test.sh HTTP/1.1" 200 292 "-" "() { _; foo; } >_[$($())] { /usr/bin/perl ... }"

**Phase 1: Completed pre-decoding.
       full event: '192.168.2.100 - - [02/Nov/2015:01:35:55 +0100] "GET /cgi-bin/test.sh HTTP/1.1" 200 292 "-" "() { _; foo; } >_[$($())] { /usr/bin/perl ... }"'
       timestamp: '(null)'
       hostname: 'manager1'
       program_name: '(null)'
       log: '192.168.2.100 - - [02/Nov/2015:01:35:55 +0100] "GET /cgi-bin/test.sh HTTP/1.1" 200 292 "-" "() { _; foo; } >_[$($())] { /usr/bin/perl ... }"'

**Phase 2: Completed decoding.
       decoder: 'web-accesslog'
       srcip: '192.168.2.100'
       proto: 'GET'
       url: '/cgi-bin/test.sh'
       id: '200'

**Phase 3: Completed filtering (rules).
       Rule id: '31167'
       Level: '15'
       Description: 'Shellshock attack detected'
       Info - CVE: 'CVE-2014-6278'
       Info - Link: 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6278'
**Alert to be generated.

192.168.2.100 - - [02/Nov/2015:01:35:55 +0100] "GET /cgi-bin/test.sh HTTP/1.1" 200 292 "-" "() { _; } >_[$($())] { /usr/bin/perl ... }"

**Phase 1: Completed pre-decoding.
       full event: '192.168.2.100 - - [02/Nov/2015:01:35:55 +0100] "GET /cgi-bin/test.sh HTTP/1.1" 200 292 "-" "() { _; } >_[$($())] { /usr/bin/perl ... }"'
       timestamp: '(null)'
       hostname: 'manager1'
       program_name: '(null)'
       log: '192.168.2.100 - - [02/Nov/2015:01:35:55 +0100] "GET /cgi-bin/test.sh HTTP/1.1" 200 292 "-" "() { _; } >_[$($())] { /usr/bin/perl ... }"'

**Phase 2: Completed decoding.
       decoder: 'web-accesslog'
       srcip: '192.168.2.100'
       proto: 'GET'
       url: '/cgi-bin/test.sh'
       id: '200'

**Phase 3: Completed filtering (rules).
       Rule id: '31167'
       Level: '15'
       Description: 'Shellshock attack detected'
       Info - CVE: 'CVE-2014-6278'
       Info - Link: 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6278'
**Alert to be generated.

192.168.2.100 - - [02/Nov/2015:01:35:55 +0100] "GET /cgi-bin/test.sh HTTP/1.1" 200 292 "-" "() { gry; };/usr/bin/perl ..."

**Phase 1: Completed pre-decoding.
       full event: '192.168.2.100 - - [02/Nov/2015:01:35:55 +0100] "GET /cgi-bin/test.sh HTTP/1.1" 200 292 "-" "() { gry; };/usr/bin/perl ..."'
       timestamp: '(null)'
       hostname: 'manager1'
       program_name: '(null)'
       log: '192.168.2.100 - - [02/Nov/2015:01:35:55 +0100] "GET /cgi-bin/test.sh HTTP/1.1" 200 292 "-" "() { gry; };/usr/bin/perl ..."'

**Phase 2: Completed decoding.
       decoder: 'web-accesslog'
       srcip: '192.168.2.100'
       proto: 'GET'
       url: '/cgi-bin/test.sh'
       id: '200'

**Phase 3: Completed filtering (rules).
       Rule id: '31166'
       Level: '15'
       Description: 'Shellshock attack detected'
       Info - CVE: 'CVE-2014-6271'
       Info - Link: 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271'
**Alert to be generated.


192.168.2.100 - - [02/Nov/2015:01:35:55 +0100] "GET /cgi-bin/test.sh HTTP/1.1" 200 292 "-" "() { _; } >_[$($())] { /usr/bin/perl ... }"

192.168.2.100 - - [02/Nov/2015:01:35:55 +0100] "GET /cgi-bin/test.sh HTTP/1.1" 200 292 "-" "() { foo:; };/usr/bin/perl ..."

**Phase 1: Completed pre-decoding.
       full event: '192.168.2.100 - - [02/Nov/2015:01:35:55 +0100] "GET /cgi-bin/test.sh HTTP/1.1" 200 292 "-" "() { foo:; };/usr/bin/perl ..."'
       timestamp: '(null)'
       hostname: 'manager1'
       program_name: '(null)'
       log: '192.168.2.100 - - [02/Nov/2015:01:35:55 +0100] "GET /cgi-bin/test.sh HTTP/1.1" 200 292 "-" "() { foo:; };/usr/bin/perl ..."'

**Phase 2: Completed decoding.
       decoder: 'web-accesslog'
       srcip: '192.168.2.100'
       proto: 'GET'
       url: '/cgi-bin/test.sh'
       id: '200'

**Phase 3: Completed filtering (rules).
       Rule id: '31166'
       Level: '15'
       Description: 'Shellshock attack detected'
       Info - CVE: 'CVE-2014-6271'
       Info - Link: 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271'
**Alert to be generated.

192.168.2.100 - - [02/Nov/2015:01:35:55 +0100] "GET /cgi-bin/test.sh HTTP/1.1" 200 292 "-" "() { ignored;};/usr/bin/perl ..."

**Phase 1: Completed pre-decoding.
       full event: '192.168.2.100 - - [02/Nov/2015:01:35:55 +0100] "GET /cgi-bin/test.sh HTTP/1.1" 200 292 "-" "() { ignored;};/usr/bin/perl ..."'
       timestamp: '(null)'
       hostname: 'manager1'
       program_name: '(null)'
       log: '192.168.2.100 - - [02/Nov/2015:01:35:55 +0100] "GET /cgi-bin/test.sh HTTP/1.1" 200 292 "-" "() { ignored;};/usr/bin/perl ..."'

**Phase 2: Completed decoding.
       decoder: 'web-accesslog'
       srcip: '192.168.2.100'
       proto: 'GET'
       url: '/cgi-bin/test.sh'
       id: '200'

**Phase 3: Completed filtering (rules).
       Rule id: '31166'
       Level: '15'
       Description: 'Shellshock attack detected'
       Info - CVE: 'CVE-2014-6271'
       Info - Link: 'https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271'
**Alert to be generated.

@frgv frgv requested a review from jesuslinares March 23, 2018 12:13
@jesuslinares
Copy link
Contributor

The regex should be stricter:
https://github.com/wazuh/wazuh-ruleset/pull/115/files#diff-6393325546bc1b08a1de9a0bb8fc2e15R234

We want to dectect:

  • () { gry;};
  • () { foo:; };
  • () { ignored;};

Please, check it.

Thanks.

@jesuslinares jesuslinares changed the base branch from master to 3.2 May 14, 2018 15:45
@jesuslinares jesuslinares changed the base branch from 3.2 to master May 14, 2018 15:45
@jesuslinares jesuslinares merged commit 71a25a4 into master May 14, 2018
@jesuslinares jesuslinares deleted the fix_shellshock branch May 14, 2018 15:46
@jesuslinares
Copy link
Contributor

Thanks @frgv !

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jesuslinares jesuslinares Awaiting requested review from jesuslinares

Assignees

@frgv frgv

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@frgv @jesuslinares