Re: [ossec-list] OSSEC rule for Shellshock CGI attacks?

2014-10-04 Thread Robert Moerman
Thanks very much, I've added the rule. Appreciate the assistance! On Sat, Oct 4, 2014 at 9:30 AM, Michael Starks wrote: > On 10/04/2014 05:30 AM, Jan Andrasko wrote: > > Rob, > > > > issue with your rule was that this string is not part of url. It is > > usually in place of user agent, which is

Re: [ossec-list] OSSEC rule for Shellshock CGI attacks?

2014-10-03 Thread Robert Moerman
Michael, I'm not sure of anything, which is why I posted :) I'm going to try Jan's suggestion using Regex. On Friday, October 3, 2014 10:31:32 AM UTC-4, Michael Starks wrote: > > On 2014-10-02 8:08, Robert Moerman wrote: > > Hello, > > > > I'

[ossec-list] OSSEC rule for Shellshock CGI attacks?

2014-10-02 Thread Robert Moerman
Hello, I've been trying to write a rule to detect CGI-based shellshock attacks via the apache log parser, but I find the signature doesn't fire (even when I see the string in the apache logs): *Detect "() { :; };" in url string* 31100 () { :; }; Shellshock Attempt attack