Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make Shellshock pattern more generic. Detect ShellShock attacks on all HTTP status code responses. #479

Merged
merged 4 commits into from Dec 18, 2019
Merged

Make Shellshock pattern more generic. Detect ShellShock attacks on all HTTP status code responses. #479

merged 4 commits into from Dec 18, 2019

Conversation

iasdeoupxe
Copy link
Contributor

The text pattern could be everything like e.g.:

192.168.2.100 - - [02/Nov/2015:01:35:55 +0100] "GET /cgi-bin/test.sh HTTP/1.1" 200 292 "-" "() { something:; };/usr/bin/perl ..."

or:

192.168.2.100 - - [02/Nov/2015:01:35:55 +0100] "GET /cgi-bin/test.sh HTTP/1.1" 200 292 "-" "() { something; };/usr/bin/perl ..."

This change should catch more of these variants.

@iasdeoupxe iasdeoupxe mentioned this pull request Aug 23, 2019
Merged
@iasdeoupxe
Copy link
Contributor Author

In 17972c6 i have also updated the expected status code as a page might also redirect all requests to e.g. a login page or similar. This is covered already by rule 31108 so only the comment had to be updated.

@iasdeoupxe iasdeoupxe changed the title Make Shellshock pattern more generic Make Shellshock pattern more generic. Detect ShellShock attacks on 5xx status codes as well. Sep 2, 2019
@iasdeoupxe
Copy link
Contributor Author

6b28982 updated the rules to detect the ShellShock attacks on 50x status codes (e.g. 503 Service Unavailable) as well. A service might be currently unavailable (e.g. maintenance works) and alert should be thrown in this case.

@iasdeoupxe
Copy link
Contributor Author

iasdeoupxe commented Sep 2, 2019
edited

I'm also wondering if we shouldn't just use <if_sid>31100</if_sid> like in all other web vuln alters because the ShellShock attack is always happening independent from the returned HTTP status code.

Edit: Did this in 7b7e0ca

@iasdeoupxe iasdeoupxe changed the title Make Shellshock pattern more generic. Detect ShellShock attacks on 5xx status codes as well. Make Shellshock pattern more generic. Detect ShellShock attacks on all HTTP status code responses. Sep 2, 2019
@Lopuiz Lopuiz added this to In progress in Wazuh 3.11.0 via automation Sep 3, 2019
@Lopuiz Lopuiz moved this from In progress to Under review in Wazuh 3.11.0 Sep 3, 2019
@Lopuiz
Copy link
Contributor

Lopuiz commented Sep 3, 2019

Hello @iasdeoupxe

Thank you so much for your contribution.
This PR will stay in the 3.11 project because of 3.10 project is just closed.
we will review it as soon as possible.

Regards,
Eva

@iasdeoupxe
Copy link
Contributor Author

@Lopuiz Any updates on a review? Three months for such a minor change is a quite long time frame 😢

@Lopuiz Lopuiz changed the base branch from 3.10 to 3.11 December 17, 2019 14:24
@Lopuiz Lopuiz self-requested a review December 18, 2019 11:20
@Lopuiz Lopuiz changed the base branch from 3.11 to 3.12 December 18, 2019 11:21
@chemamartinez
Copy link
Contributor

Hi @iasdeoupxe,

Sorry for the late reviews of your contributions. They are really appreciated as always.

We always try to attend the opened issues and pull requests from the users as soon as possible, but, unfortunately our resources are limited. We are working hard to decrease our response timeframe as well.

I hope you understand it, and thank you again. Don't hesitate to ping us whether this situation happens again.

Best regards,
Chema.

@chemamartinez chemamartinez removed this from Under review in Wazuh 3.11.0 Dec 18, 2019
@chemamartinez chemamartinez added this to In progress in Wazuh 3.12.0 via automation Dec 18, 2019
@chemamartinez chemamartinez merged commit 12c8361 into wazuh:3.12 Dec 18, 2019
Wazuh 3.12.0 automation moved this from In progress to Done Dec 18, 2019
@iasdeoupxe iasdeoupxe deleted the patch-1 branch December 19, 2019 16:39
@k3an3
Copy link

k3an3 commented Jan 6, 2020

Is this really necessary? Seeing a shellshock attempt log event says nothing about whether it was successful. I have Wazuh running on public-facing servers, and naturally there are several attempts by bots every day, and the email notifications are now going crazy. In my case, the response codes seem to be 301s (which a commit here added recently).

I realize that I can turn this off iln my instance, but I am wondering if an exploit attempt should really be worthy of a level 15 alert when there is no indication of success. Else, it's going to create a lot of false positives on production machines.

@Lopuiz
Copy link
Contributor

Lopuiz commented Jan 8, 2020

Hello @k3an3

We are solving it.
Apologies the inconvenient it caused.

Best regards,
Eva

@Lopuiz Lopuiz mentioned this pull request Jan 8, 2020
Merged
@iasdeoupxe iasdeoupxe mentioned this pull request Jan 10, 2020
Closed
@chemamartinez chemamartinez removed this from Done in Wazuh 3.12.0 Jan 16, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Lopuiz Lopuiz Lopuiz approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@iasdeoupxe @Lopuiz @chemamartinez @k3an3