bash is not link layer. Put the mod_sec rules in and patch bash. iptables can do pattern matching, but someone's already written the mod_sec rules for you, and I suspect it has vastly better protocol decoding capabilities.
(Sounds like more bash patches on the way according to Michal Zalewski, so both mod_sec rules and patching are preferred rather than either in isolation.) cheers, Jamie On 27 September 2014 17:28, John Crout <john.cr...@gmail.com> wrote: > Are both if these true? > Modsecurity is an Application layer firewall, and bash (any shell) is Link > Layer? > > Maybe an iptables ruleset? > > John Crout > - via phone > > On Sep 26, 2014 5:16 PM, "Joshua Roback" <jrob...@gmail.com> wrote: >> >> http://seclists.org/oss-sec/2014/q3/650 >> >> https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/ >> >> http://www.csoonline.com/article/2687265/application-security/remote-exploit-in-bash-cve-2014-6271.html >> >> Has anyone come across a ModSec rule for this new CVE? >> >> -- >> Joshua Roback >> >> _______________________________________________ >> Owasp-modsecurity-core-rule-set mailing list >> Owasp-modsecurity-core-rule-set@lists.owasp.org >> https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set >> > > _______________________________________________ > Owasp-modsecurity-core-rule-set mailing list > Owasp-modsecurity-core-rule-set@lists.owasp.org > https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set > -- Jamie Riden / ja...@honeynet.org / jamie.ri...@gmail.com http://uk.linkedin.com/in/jamieriden _______________________________________________ Owasp-modsecurity-core-rule-set mailing list Owasp-modsecurity-core-rule-set@lists.owasp.org https://lists.owasp.org/mailman/listinfo/owasp-modsecurity-core-rule-set
