Detect ShellShock Attempts in Apache Logs

sourcetype="apache:access" http_method=POST request="*{ :;};*" OR request="*/bin/*"

 

A very simple query to detect attempts at running Linux commands on an Apache web server.  The POST http request is where the command is injected.  By searching the “request” field for tell tale signs of the attempt you can understand when and where the attack is occurring and take the appropriate actions.

 

It is recommended to set up alerts based on this query by adding the table command to make the report look better:

| table _time, request, src_ip, dst_ip

 

 

Share This:

Leave A Comment?