On Wednesday, NIST released information about a vulnerability in the GNU Bash shell that enables remote attackers to execute arbitrary code on the target system. For details, I recommend this excellent post from Troy Hunt: Everything you need to know about the Shellshock Bash Bug.
One of the especially worrisome aspects of this vulnerability is that it enables remote attackers to compromise web servers running on Linux and Unix, such as Apache. There are many attack vectors, but HTTP is arguably going to be the most widespread and dangerous because attackers can come from anywhere on the Internet.
In response, ExtraHop has published a bundle that detects and charts attempts to exploit the Shellshock bug over HTTP. The bundle contains three things:
- An Application Inspection Trigger to record whenever an HTTP header containing an exploit attempt is observed. This trigger stores both the client and server IP so you know where it came from and where it was destined.
- A custom page to chart these attempts over time.
- An alert to let you know when an attempt is made.
If you already have an ExtraHop, go to the the ExtraHop Solution Bundles Gallery to read instructions on how to download and install the bundle. If you are not yet an ExtraHop user, now is a great time to try our free, interactive demo.