There are lots of posts regarding the shellshock vulnerability. I can understand

Question

There are lots of posts regarding the shellshock vulnerability. I can understand the vulnerability in detail.

However, I'm curious about why any Intrusion detection system or host-based tools (e.g., antivirus systems) fails to detect it?

Some answers may include Snort does not have the appropriate signature, but at least there should be some other symptoms that network administrators should understand something going on abnormal in their network such as HTTP user agent string differs (host-based solutions checks that right?), the outbound traffic may increase abnormally, or number of processes or memory usage increase at the webservers than usual boundaries.

Explanation / Answer

- The contents of a shellshock attack are technically valid web server requests. You could aggressively cull them (by looking for strings which could possibly be a shellshock attack and blocking them), but it would have limitations for legitimate applications (such as those which need to work with binary data that may happen to fit a shellshock signature).
- There would be exactly as many detectable side effects as there would be. The actual attack would be virtually invisible in the noise, but you would see standard behavioral changes. However, in cases such as a APT with a competent attacker, you'll find that the attackers are well versed in what admins look for in network traffic and are willing to take their time, keeping their effects in the noise.

Related Questions

Navigate

• Browse (All)
• Browse T
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.