"This script detects successful exploitation of the Bash vulnerability with CVE-2014-6271 nicknamed "ShellShock". It's more comprehensive than most of the detections around in that it's watching for behavior from the attacked host that might indicate successful compromise or actual vulnerability."
https://github.com/broala/bro-shellshock
http://blog.securityonion.net/2014/09/bash-vulnerability-part-3.html
http://blog.securityonion.net/2014/09/new-securityonion-bro-scripts.html
http://blog.securityonion.net/2014/09/securityonion-bro-scripts-now-detects.html
Seth has updated these scripts again today to "Add shellscripts as a post-exploit detection mechanism.":
https://github.com/broala/bro-shellshock/commit/4be009f9b7bf8ce9b99533cb4c7b8dd76aba87b7
I've updated the securityonion-bro-scripts package to include these changes. I've also updated the securityonion-web-page package to include some ELSA queries for "ShellShock Exploits" and "ShellShock Scanners".
New package versions:
securityonion-bro-scripts - 20121004-0ubuntu0securityonion38
securityonion-web-page - 20120722-0ubuntu0securityonion25
Issues Resolved
Issue 618: securityonion-bro-scripts: ShellShock Add shellscripts as a post-exploit detection mechanism
https://code.google.com/p/security-onion/issues/detail?id=618
Issue 617: securityonion-web-page: add queries for Bro ShellShock Notices
https://code.google.com/p/security-onion/issues/detail?id=617
Issue 583: securityonion-web-page: update "All OSSEC Logs" query
https://code.google.com/p/security-onion/issues/detail?id=583
Issue 599: securityonion-web-page: highlight current ELSA query
https://code.google.com/p/security-onion/issues/detail?id=599
Updating
The new packages are now available in our stable repo. Please see the following page for full update instructions:
https://code.google.com/p/security-onion/wiki/Upgrade
To apply the new Bro ShellShock detection, you'll need to restart Bro as follows:
sudo nsm_sensor_ps-restart --only-bro
Screenshots
Update Process |
Restarting Bro with "sudo nsm_sensor_ps-restart --only-bro" |
New ELSA Query for Notice - ShellShock Exploits |
New ELSA Query for Notice - ShellShock Scanners |
Feedback
If you have any questions or problems, please use our security-onion mailing list:
https://code.google.com/p/security-onion/wiki/MailingLists
Training
Only 15 seats left for the 3-day Security Onion class in Richmond VA!
https://security-onion-class-20141020.eventbrite.com/
Commercial Support
Need commercial support? Please see:
http://securityonionsolutions.com
Help Wanted
If you and/or your organization have found value in Security Onion, please consider giving back to the community by joining one of our teams:
https://code.google.com/p/security-onion/wiki/TeamMembers
We especially need help in answering support questions on the mailing list:
http://groups.google.com/group/security-onion
We also need help testing new packages:
http://groups.google.com/group/security-onion-testing
Thanks!
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.