"This script detects successful exploitation of the Bash vulnerability with CVE-2014-6271 nicknamed "ShellShock". It's more comprehensive than most of the detections around in that it's watching for behavior from the attacked host that might indicate successful compromise or actual vulnerability."
Seth has updated these scripts again today to "Add shellscripts as a post-exploit detection mechanism.":
I've updated the securityonion-bro-scripts package to include these changes. I've also updated the securityonion-web-page package to include some ELSA queries for "ShellShock Exploits" and "ShellShock Scanners".
New package versions:
securityonion-bro-scripts - 20121004-0ubuntu0securityonion38
securityonion-web-page - 20120722-0ubuntu0securityonion25
Issue 618: securityonion-bro-scripts: ShellShock Add shellscripts as a post-exploit detection mechanism
Issue 617: securityonion-web-page: add queries for Bro ShellShock Notices
Issue 583: securityonion-web-page: update "All OSSEC Logs" query
Issue 599: securityonion-web-page: highlight current ELSA query
The new packages are now available in our stable repo. Please see the following page for full update instructions:
To apply the new Bro ShellShock detection, you'll need to restart Bro as follows:
sudo nsm_sensor_ps-restart --only-bro
|Restarting Bro with "sudo nsm_sensor_ps-restart --only-bro"|
|New ELSA Query for Notice - ShellShock Exploits|
|New ELSA Query for Notice - ShellShock Scanners|
If you have any questions or problems, please use our security-onion mailing list:
Only 15 seats left for the 3-day Security Onion class in Richmond VA!
Need commercial support? Please see:
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
We especially need help in answering support questions on the mailing list:
We also need help testing new packages: