Bash Vulnerability Part 2

Yesterday, a vulnerability in bash was announced and I wrote a quick blog post on updating your Security Onion sensors to the latest version of bash:
http://blog.securityonion.net/2014/09/bash-vulnerability.html

There are most likely other issues, so expect additional updates to bash in the near future.

To monitor your network for exploit attempts, IDS signatures are now available from Snort VRT and Emerging Threats (ET).  Assuming you have PulledPork configured correctly, you should have received the VRT and/or ET rules in your rule update this morning.

https://www.snort.org/advisories/vrt-rules-2014-09-24.html

(copied from link above)
1:31978 <-> ENABLED <-> OS-OTHER Bash CGI environment variable injection attempt (os-other.rules)
1:31977 <-> ENABLED <-> OS-OTHER Bash CGI environment variable injection attempt (os-other.rules)
1:31976 <-> ENABLED <-> OS-OTHER Bash CGI environment variable injection attempt (os-other.rules)
1:31975 <-> ENABLED <-> OS-OTHER Bash CGI environment variable injection attempt (os-other.rules)

http://emergingthreats.net/daily-ruleset-update-summary-09242014/

(copied from link above)
2019231 – ET WEB_SERVER Possible CVE-2014-6271 Attempt in URI (web_server.rules)
2019232 – ET WEB_SERVER Possible CVE-2014-6271 Attempt in Headers (web_server.rules)
2019233 – ET WEB_SERVER Possible CVE-2014-6271 Attempt in Client Body (web_server.rules)
2019234 – ET WEB_SERVER Possible CVE-2014-6271 Attempt in Client Body 2 (web_server.rules)

Also, a Bro script is now available from Critical Stack and Hectaman:
https://github.com/CriticalStack/bro-scripts

UPDATE 20140925 14:04
Here's another Bro script from Broala and Seth Hall:
https://github.com/broala/bro-shellshock

If you have any questions or problems, please use our security-onion mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists

UPDATE 20140925 16:37
Please see Part 3:
http://blog.securityonion.net/2014/09/bash-vulnerability-part-3.html