Thanks Dan,
As far as the log portion goes; can you make any sense of this? These are
from other shellshock exploit attempt alerts. What exactly is going on here?
20:22:37.287 -0500 191.101.6.217 "-" POST "-" "-"
/cgi-sys/defaultwebpage.cgi () { _; OpenVAS; } >_[$($())] { echo
Content-Type: text/plain; echo; echo; PATH=/usr/bin:/usr/local/bin:/bin;
export PATH; id;
2016-03-14 20:22:40.566 -0500 191.101.6.217 "-" GET "-" "-"
/cgi-sys/FormMail-clone.cgi () { OpenVAS:; }; echo Content-Type:
text/plain; echo; echo; PATH=/usr/bin:/usr/local/bin:/bin; export PATH; id;
I really appreciate your help. This is all new to me.
J~
On Thursday, March 10, 2016 at 4:36:09 AM UTC-6, dan (ddpbsd) wrote:
>
>
> On Mar 10, 2016 5:32 AM, "Johnny InfoSec" <[email protected]
> <javascript:>> wrote:
> >
> > Greetings,
> >
> > As a new OSSEC user. I have found some of the alerts difficult to make
> sense of. Is there any documentation (or decoder ring :-)) that helps with
> this?
> >
> > Trying to make sense of some of the different sections in the below
> alert:
> >
> > OSSEC HIDS Notification.
> >
>
> This is the subject.
>
> > 2016 Mar 08 21:00:02
> >
> >
>
> Timestamp
>
> >
> > Received From: .log
> >
>
> Where the log triggering the alert originated.
>
> > Rule: 100032 fired (level 13) -> "Shellshock Exploit Attempt"
> >
>
> The rule ID, level, and description.
>
> > Portion of the log(s):
> >
> >
> >
> > Mar 8 21:00:01 ??? WAF src= spt=13006 dst=??? dpt=443 actionTaken=CLOAK
> attackDescription=UNRECOGNIZED_COOKIE attackDetails=[Cookie\="echo"
> Service-created\="211 days back" Reason\="No valid encrypted pair"]
> attackGroup=ATTACK_CATEGORY_SESSION_TAMPER attackId=29030 logType=WF
> app=HTTPS request=.net/ requestMethod=GET rt=1457492380066
> userAgent="User-Agent: () { :;}; echo; echo "QPZVGMTHKAYNGZV" " referer=()
> { :;}; echo; echo "QPZVGMTHKAYNGZV"
> >
>
> The log that triggered the alert.
>
> >
> > If someone could help me break this alert down (i.e. each section/label)
> that would be much appreciated.
> >
> >
> > J~
> >
> > --
> >
> > ---
> > You received this message because you are subscribed to the Google
> Groups "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send
> an email to [email protected] <javascript:>.
> > For more options, visit https://groups.google.com/d/optout.
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
