Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

False Positive on Sig 4689/1 Bash Environment Variable Command Injection

I am seeing what I believe is false positives on Sig 4689/1 outbound from our network. When I look at the traffic capture from events it does not seem to match inbound traffic events that fire on the same signature. The inbound traffic looks very much like what I think is the exploit code for the Bash injection vulnerability. 


Any one else seeing this on their systems?



New Member

I'm seeing things like this.

I'm seeing things like this. Whenever I look up the victim IPs they resolve to Amazon servers. It looks like a false positive to me also.

event_id = 1360033965674082135

severity = high

device_name = xxxxxxx

app_name = sensorApp

receive_time = 09/28/2014  06:32:59

event_time = 09/28/2014 10:33:29

sensor_local_time = 09/28/2014 06:33:29

sig_id = 4689

subsig_id = 1

sig_name = Bash Environment Variable Command Injection sig_details = CVE-2014-6271 sig_version = S824 attacker_ip = attacker_port = 50986 attacker_locality = OUT victim_ip = victim_port = 80 victim_os = unknown unknown (relevant) victim_locality = OUT summary_count = 0 initial_alert_id = summary_type = is_final_alert = interface = GigabitEthernet0/1 vlan = 0 virtual_sensor = vs0 context = bGVicml0eWJhYmllcy5wZW9wbGUuY29tJTdDYWlkJTNEMjA4OTQ1JTdDY2glM0RiYWJpZXMlN0NzY2glM0RuZXdzJTdDcHR5cGUlM0Rjb250ZW50JTdDY3R5cGUlM0RibG9nJTdDcGFnZSUzRDElN0NzdWJqJTNEYmFiaWVzJTJDa2FueWUtd2VzdCUyQ2tpbS1rYXJkYXNoaWFuJTJDbmV3cyU3Q2NlbGViJTNEJTdDdW5pcXVlJTNEZnVuY3Rpb24rKCkrJTdCJTBBKysrKysrKysrKysrdmFyK2ErJTNEKyU1QiU1RCUyQ2srJTNEKzAlMkNlJTNCJTBBKysrKw==$

actions = droppedPacket+deniedFlow+tcpOneWayResetSent

alert_details = InterfaceAttributes:  context="single_vf" physical="Unknown" backplane="GigabitEthernet0/1" ; risk_rating_num = 100(TVR=medium ARR=relevant) threat_rating = 65 reputation = protocol = tcp

New Member

I am starting to think that

I am starting to think that these are not false positives but some sort of call back to the control servers. 

Can anyone from Cisco chime in on this and provide more information please?

Thank you.


New Member

How many are you getting? I

How many are you getting? I've only gotten a handful. We've got maybe 1000 machines and I might have gotten 7-8 notices since Friday. I got a handful on Friday afternoon, 1-2 on Sunday, and none today. The most I've ever gotten per IP is 2 notices.

We checked one of the machines out on Friday after we got 2 notices on it but didn't see any kind of malware/rootkits and we haven't gotten anything since from that IP.

I was thinking maybe it's something like the SQL Query in HTTP Request false positives that come from some Yahoo/Facebook traffic.

New Member

We have gotten hundreds of

We have gotten hundreds of the alerts. We are at a university, and I just figured out that some Mac machines are vulnerable to the bash exploit. 

I am wondering if these are the machines that are tripping the signature when they calling back to a C and C server?

New Member

I have also experiencing this

I have also experiencing this kind of problem.

We already patched the internal attacker IP and the events are still appearing.

Victim IPs are mostly to Amazon.

New Member

in the example from

in the example from jbuchinsky below, we see javascript embedded in a POST body argument



a new version of sig 4689-1 will be released in S825 which tighten the sig to only catch ()+%7B immediately after an = instead of anywhere in the POST body, thus ignoring these cases of javascript sent in http requests


Also it will reduce the SFR to 85 so these packets will not be denied by default

New Member

Could you rephrase this

Could you rephrase this explanation for a non-IT executive?