False Positive on Sig 4689/1 Bash Environment Variable Command Injection
I am seeing what I believe is false positives on Sig 4689/1 outbound from our network. When I look at the traffic capture from events it does not seem to match inbound traffic events that fire on the same signature. The inbound traffic looks very much like what I think is the exploit code for the Bash injection vulnerability.
How many are you getting? I've only gotten a handful. We've got maybe 1000 machines and I might have gotten 7-8 notices since Friday. I got a handful on Friday afternoon, 1-2 on Sunday, and none today. The most I've ever gotten per IP is 2 notices.
We checked one of the machines out on Friday after we got 2 notices on it but didn't see any kind of malware/rootkits and we haven't gotten anything since from that IP.
I was thinking maybe it's something like the SQL Query in HTTP Request false positives that come from some Yahoo/Facebook traffic.
Also it will reduce the SFR to 85 so these packets will not be denied by default
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...