Guest

Preview Tool

Cisco Bug: CSCus87320 - Prevent snort from using 'only' modifier with http_xxx buffer modifiers.

Last Modified

Jul 23, 2018

Products (1)

  • Cisco Firepower Management Center

Known Affected Releases

4.10.3.9

Description (partial)

Symptom:
Rules with these modifiers will FP.

Conditions:
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"OS-OTHER Bash CGI environment variable injection attempt"; flow:to_server,established; content:"() {"; fast_pattern:only; http_header; metadata:policy balanced-ips drop, policy security-ips drop, ruleset community, service http; reference:cve,2014-6271; reference:cve,2014-6277; reference:cve,2014-6278; reference:cve,2014-7169; classtype:attempted-admin; sid:31978; rev:4; )


Version 2.9.7 GRE (Build 159)
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.