[Oisf-users] Question about observation
Greg Grasmehr
greg.grasmehr at caltech.edu
Fri Dec 22 00:35:26 UTC 2017
Hello Michal,
Sorry no, the box is production now and the pcap long gone and I don't
believe sharing a snapshot of our network data would be acceptable
anyway unless it was sanatized, but you can likely repeat my findings by
running a dump and from a remote system triggering rule id 2019232 which
is located in emerging-web_server.rules
This is how I triggered it.
curl -k -H 'User-Agent: () { :;};echo; /bin/bash -c " echo 2014 | sha2565sum"' http://redactedIP
curl -k -H 'User-Agent: () { :;};echo; /bin/bash -c " echo 2014 | sha2565sum"' http://redactedDomainName/cgi-bin/redacted.pl
I reviewed the pcap data and could not find anything different between
each subsequent *malicous* request as far as the ascii data, but I may
have missed something as I did not excruciatingly review all the hex.
Greg
More information about the Oisf-users
mailing list