As a followup to our Shellshock over HTTP bundle, we are pleased to provide an equivalent bundle for detecting and charting Shellshock exploit attempts via DHCP over time. The ability to parse DHCP is made possible by a new key feature in ExtraHop v4.0: Universal Payload Analysis. For more information about ExtraHop v4.0 and its features visit the ExtraHop Platform page.
Using Universal Payload Analysis, parsing most unsupported TCP and UDP protocols is now possible, lending to the possibility for quickly analyzing such traffic for exploits like Shellshock.
What you get
- Triggers (1): DHCP Shellshock
- Pages (2): DHCP Shellshock (Network-wide and per-Device)
- Alerts (2): DHCP Shellshock Sent and DHCP Shellshock Received
- Dashboards (1): DHCP Shellshock (Network-wide)
There are a few caveats of which to be aware:
- The trigger cannot detect vulnerable hosts if they are not talking -- though this at least means they are not actively being exploited!
- The trigger doesn't detect whether the exploit attempt was successful -- it merely sees that one was attempted.
- The trigger only detects attempts for DHCP.
- Download the bundle.
- In the full product, import the bundle -- enable and assign the trigger, alerts, and pages to whatever devices you'd like to monitor for exploit attempts for Shellshock over DHCP. Once some traffic matching the exploit is passed, the chart on the 'DHCP Shellshock' pages and 'DHCP Shellshock' dashboard should show activity and an alert should fire.