Start Demo

The Platform

For Security

For Cloud

For IT Ops

Blog

More

Start the Democaret-right

Contact Uscaret-right
caret-left Back

ExtraHop Reveal(x)

Cloud-native visibility, detection, and
response for the hybrid enterprise.

Reveal(x) 360

SaaS-based network detection
and response.

Learn More

How It Workscaret-right

Reveal(x) Enterprise

Self-managed network detection
and response.

Learn More

How It Workscaret-right
caret-left Back

For Security

Protect and scale your business with complete visibility, real-time threat detections, and intelligent response.

Learn More

Comprehensive Inventory of All Devices

Detect Lateral Movement

Monitor Sensitive Data Movements

Respond to Alerts That Matter

Simple, Streamlined Threat Hunting

Next Generation Intrusion Detection System
caret-left Back

For Cloud

Secure rapid cloud adoption and maintain control of applications, workloads, and data in cloud or multi-cloud environments.

Learn More

Monitor Critical Cloud Workloads

Detect Supply Chain Attacks

Cloud Detection and Response

Respond to Alerts That Matter

Security for AWS

Security for Azure

Security for Google Cloud
caret-left Back

For IT Ops

Boost NOC/SOC collaboration and ensure availability and performance across your hybrid enterprise.

Learn More

Resolve Performance Issues

Support Distributed Workers

Reliably Scale to the Cloud

NetOps and SecOps Collaboration
caret-left Back

Blog

Learn More
caret-left Back

Customers

Partners

Resources

About Us

caret-left Back

Customers

Customer resources, training,
case studies, and more.

Visit Customer Portal

Support

Professional Services

Training

Solution Bundles Gallery

Community Forums

caret-left Back

Partners

Partner resources and information about our channel and technology partners.

Visit Partner Portal

Panorama Partner Program

Overwatch Managed NDR

Technology Integration Partners

Become a Partner

caret-left Back

Resources

Find white papers, reports, datasheets, and more by exploring our full resource archive.

All Resources

Customer Stories

Network Attack Library

Protocol Library

Documentation

Firmware

Training Videos

caret-left Back

About Us

See what sets ExtraHop apart, from our innovative approach to our corporate culture.

Learn More

The ExtraHop Difference

What Is Cloud-Native?

Careers

Newsroom

Upcoming Webinars and Events

Back Arrow Bundle Library

Shellshock over HTTP Bundle, DE Compatible

Description

UPDATE: Trigger now deals with null headers appropriately; Metrics have been separated into sent and received; Page to show network-wide activity has been added.

I think we've all read about the Shellshock Bash vulnerability by now. In case you haven't, I encourage you to read this great post by Troy Hunt titled Everything you need to know about the Shellshock Bash Bug.

This nasty bug has many attack vectors, but we are going to focus on arguably the most widespread one: HTTP. Getting an ExtraHop appliance to detect attempts at exploiting this bug over HTTP is not difficult, and so I made a bundle to do just that. This bundle adds an AI Trigger to record whenever an HTTP Header containing an exploit attempt is observed and stores both the client and server IP so you know where it came from and where it was destined; a Custom Page to chart these attempts over time; and an Alert to let you know when a attempt is made.

What you get

  • Triggers (1): HTTP Shellshock
  • Pages (2): HTTP Shellshock (Network-wide and per-Device)
    Shellshock activity dashboard
  • Alerts (2): HTTP Shellshock Sent and HTTP Shellshock Received

Caveats

There are a few caveats of which to be aware:

  • The trigger cannot detect vulnerable hosts if they are not talking -- though this at least means they are not actively being exploited!
  • The trigger doesn't detect whether the exploit attempt was successful -- it merely sees that one was attempted.
  • The trigger only detects attempts for HTTP (and HTTPS if SSL decryption is enabled and occurring on your appliance).

Installation Instructions

Download the bundle.

In DE, import the bundle -- the trigger and page will automatically be assigned where they need to be, but you will need to enable both of them. Once some traffic matching the exploit is passed, the chart on the 'HTTP Shellshock' page should show activity.

In the full product, import the bundle -- enable and assign the trigger, alert, and page to whatever devices you'd like to monitor for exploit attempts for Shellshock over HTTP. Once some traffic matching the exploit is passed, the chart on the 'HTTP Shellshock' page should show activity and an alert should fire.

+

ExtraHop uses cookies to improve your online experience. By using this website, you consent to the use of cookies. Learn More