Friday, September 26, 2014

Bash Vulnerability Part 5: ShellShock rules in Snort Community ruleset

This is a continuation of the ShellShock posts from the last few days:
http://blog.securityonion.net/2014/09/bash-vulnerability.html
http://blog.securityonion.net/2014/09/bash-vulnerability-part-2.html
http://blog.securityonion.net/2014/09/bash-vulnerability-part-3.html
http://blog.securityonion.net/2014/09/bash-vulnerability-part-4-another.html

If you're running the Snort VRT ruleset, please read this post in its entirety.

The Snort VRT added some ShellShock rules to the Community ruleset:
http://blog.snort.org/2014/09/snort-community-ruleset-out-of-band.html

If you look at your current /etc/nsm/pulledpork/pulledpork.conf file, you'll see that the Snort Community ruleset line is not enabled (or missing altogether if it's been a while since you ran Setup).  I've updated Setup so that when you run Setup and choose Snort VRT, it will also enable the Snort Community ruleset.  If you've already run Setup, the new Setup package will check your existing pulledpork.conf file and add/enable the Snort Community ruleset if necessary.

I've submitted securityonion-setup - 20120912-0ubuntu0securityonion122 for testing:
https://groups.google.com/d/topic/security-onion-testing/W_R_ejUc-Z4/discussion

If you're not already a member of the security-onion-testing Google Group, please join the group and help us test this new package so we can get it released as quickly as possible.

Thanks!

Setup updating pulledpork.conf
Snorby displaying ShellShock alert from Snort Community ruleset

UPDATE 20140927 07:59
Please see:
http://blog.securityonion.net/2014/09/new-securityonion-bro-scripts.html

UPDATE 20140929 08:25
The new Setup package has been tested and published:
http://blog.securityonion.net/2014/09/new-setup-package-adds-snort-community.html

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.