False Positive on Sig 4689/1 Bash Environment Variable Command Injection

Similar Messages

• Cisco 3560 GNU Bash Environment Variable Command Injection Vulnerability

  Does this model 3560 is affected by this vulnerability? If does are there any configuration is required to solve this Bash Code Injection Vulnerability issue? Thanks guys!

  I'm seeing things like this. Whenever I look up the victim IPs they resolve to Amazon servers. It looks like a false positive to me also.
  event_id = 1360033965674082135
  severity = high
  device_name = xxxxxxx
  app_name = sensorApp
  receive_time = 09/28/2014  06:32:59
  event_time = 09/28/2014 10:33:29
  sensor_local_time = 09/28/2014 06:33:29
  sig_id = 4689
  subsig_id = 1
  sig_name = Bash Environment Variable Command Injection sig_details = CVE-2014-6271 sig_version = S824 attacker_ip = xxx.xxx.xxx.xxx attacker_port = 50986 attacker_locality = OUT victim_ip = 54.204.5.190 victim_port = 80 victim_os = unknown unknown (relevant) victim_locality = OUT summary_count = 0 initial_alert_id = summary_type = is_final_alert = interface = GigabitEthernet0/1 vlan = 0 virtual_sensor = vs0 context = bGVicml0eWJhYmllcy5wZW9wbGUuY29tJTdDYWlkJTNEMjA4OTQ1JTdDY2glM0RiYWJpZXMlN0NzY2glM0RuZXdzJTdDcHR5cGUlM0Rjb250ZW50JTdDY3R5cGUlM0RibG9nJTdDcGFnZSUzRDElN0NzdWJqJTNEYmFiaWVzJTJDa2FueWUtd2VzdCUyQ2tpbS1rYXJkYXNoaWFuJTJDbmV3cyU3Q2NlbGViJTNEJTdDdW5pcXVlJTNEZnVuY3Rpb24rKCkrJTdCJTBBKysrKysrKysrKysrdmFyK2ErJTNEKyU1QiU1RCUyQ2srJTNEKzAlMkNlJTNCJTBBKysrKw==$
  actions = droppedPacket+deniedFlow+tcpOneWayResetSent
  alert_details = InterfaceAttributes:  context="single_vf" physical="Unknown" backplane="GigabitEthernet0/1" ; risk_rating_num = 100(TVR=medium ARR=relevant) threat_rating = 65 reputation = protocol = tcp

• Using BASH environment variables in xCode build configuration

  Hi All,
  Is it possible to use BASH environment variables (exported from /etc/profile, for example) in xcode build settings?
  Specifically, I am exporting a "BOOST_HOME" variable, and would like to referencing this variable in "User Header Search Path", but the obvious $BOOST_HOME doesn't seem to work?
  Thanks,
  Andrew

  I don't know much about XCode -- but to set environment variables for GUI applications you need to edit ~/.MacOSX/environment.plist. There's a description here:
  http://wiki.lyx.org/Mac/Environment
  After editing that file I believe you have to logout and back in for the changes to take effect.
  I swear I saw a GUI app to help edit that file, but I can't find it now...

• False positive for 16800: TCP: GNU Bash Remote Code Execution Vulnerability

  Dear Team, 
  in my customer, one of banking in brunei want to access several finance website such as www.iifm.net etc. Tipping point IPS blokec to access the website with report as a 16800: TCP: GNU Bash Remote Code Execution Vulnerability ( Low Severity). The site is normal and legal website. Our question is the several website is needed to access by our employee due to the dailiy working. Please advice 
  Best Regards
  Yudi

  @yuibagan 
  ‎Thank you for using HP Support Forum. I have brought your issue to the appropriate team within HP. They will likely request information from you in order to look up your case details or product serial number. Please look for a private message from an identified HP contact. Additionally, keep in mind not to publicly post ( serial numbers and case details).
  If you are unfamiliar with the Forum's private messaging please click here to learn more.
  Thank you,
  Omar
  I Work for HP

• False positive on Sig 5316.0?

  Can someone explain why this signature is firing for me?
  This signature is supposed to fire when the string "/ext.dll.*a0=add" is seen.
  I am seeing an Attacker context of "http://<server name>/<Sub Dir>/maext.dll"
  To me it doesn't seem like this should be firing on this syntax because the ext.dll is not preceeded by a "/" it is preceeded by the "ma"
  Can anyone help explain this to me?

  The signature seems to be firing once it sees all the characters in the signature, irrespective of the exact string. That is, as soon as the signature captures all the characters in the signature, it fires. I too feel that this should not be happening this way. Any other thoughts?

• Single-session bash environment variables

  I would like to run a program with a specific proxy, but I don't want any other programs to use that proxy. Would something like this work?
  #!/bin/sh
  http_proxy=proxy_address
  program_name
  exit 0
  Do I need to export the http_proxy variable? It seems like the variable would be persistent instead of just being used for the one program that is being called.

  mrbug wrote:
  Ah.. Thanks for replying!
  So then the export lines in .bashrc send the variables only to your spawned (which turns out to be every) bash processes? That must be what was confusing me...
  Exactly
  mrbug wrote:Just out of curiosity, how would you (if it's possible) send variables to a parent process?
  I think it's not possible. Please correct me if I'm wrong!

• Possible false positive issue with SigID 3353

  Here is a packet captured by the IDS that triggered SigID 3353 - SMB Request Overflow
  evAlert: eventId=1075708170032493259 severity=high
  originator:
  hostId: cisco-ids-v4.1
  appName: sensorApp
  appInstanceId: 1134
  time: 2005/07/18 14:53:30 2005/07/18 14:53:30 UTC
  interfaceGroup: 0
  vlan: 0
  signature: sigId=3353 sigName=SMB Request Overflow subSigId=0 version=S180 Malformed SMB Request
  context:
  fromVictim:
  000000 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 ................
  000010 01 00 00 00 01 00 00 00 01 00 00 00 01 00 00 00 ................
  000020 01 00 00 00 00 00 00 00 00 00 00 68 FF 53 4D 42 ...........h.SMB
  000030 25 00 00 00 00 98 07 C8 00 00 00 00 00 00 00 00 %...............
  000040 00 00 00 00 00 50 78 07 01 90 81 0C 0A 00 00 30 .....Px........0
  000050 00 00 00 00 00 38 00 00 00 30 00 38 00 00 00 00 .....8...0.8....
  000060 00 31 00 2C 05 00 02 03 10 00 00 00 30 00 00 00 .1.,........0...
  000070 0A 00 00 00 18 00 00 00 00 00 00 00 00 00 00 00 ................
  000080 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
  000090 00 00 00 00 00 00 00 68 FF 53 4D 42 25 00 00 00 .......h.SMB%...
  0000A0 00 98 07 C8 00 00 00 00 00 00 00 00 00 00 00 00 ................
  0000B0 00 50 78 07 01 90 C1 0C 0A 00 00 30 00 00 00 00 .Px........0....
  0000C0 00 38 00 00 00 30 00 38 00 00 00 00 00 31 00 2C .8...0.8.....1.,
  0000D0 05 00 02 03 10 00 00 00 30 00 00 00 0B 00 00 00 ........0.......
  0000E0 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
  0000F0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
  fromAttacker:
  000000 00 00 00 00 00 54 00 2C 00 54 00 02 00 26 00 0F .....T.,.T...&..
  000010 70 3D 00 00 5C 00 50 00 49 00 50 00 45 00 5C 00 p=..\.P.I.P.E.\.
  000020 00 00 00 00 05 00 00 03 10 00 00 00 2C 00 00 00 ............,...
  000030 0A 00 00 00 14 00 00 00 00 00 01 00 00 00 00 00 ................
  000040 BB E2 9E 20 19 4C 0D 4B B7 17 DF 44 B9 00 52 40 ... .L.K...D..R@
  000050 00 00 00 80 FF 53 4D 42 25 00 00 00 00 18 07 C8 .....SMB%.......
  000060 00 00 00 00 00 00 00 00 00 00 00 00 00 50 78 07 .............Px.
  000070 01 90 C1 0C 10 00 00 2C 00 00 00 54 05 00 00 00 .......,...T....
  000080 00 00 00 00 00 00 00 00 00 54 00 2C 00 54 00 02 .........T.,.T..
  000090 00 26 00 0F 70 3D 00 00 5C 00 50 00 49 00 50 00 .&..p=..\.P.I.P.
  0000A0 45 00 5C 00 00 00 00 00 05 00 00 03 10 00 00 00 E.\.............
  0000B0 2C 00 00 00 0B 00 00 00 14 00 00 00 00 00 01 00 ,...............
  0000C0 00 00 00 00 15 FD E7 ED 7D DD E4 40 8A E9 7C 39 ........}..@..|9
  0000D0 30 15 BC C3 00 00 00 80 FF 53 4D 42 25 00 00 00 0........SMB%...
  0000E0 00 18 07 C8 00 00 00 00 00 00 00 00 00 00 00 00 ................
  0000F0 00 50 F0 06 01 90 00 0D 10 00 00 2C 00 00 00 80 .P.........,....
  participants:
  attack:
  attacker: proxy=false
  addr: locality=IN 10.24.238.193
  port: 1071
  victim:
  addr: locality=IN 10.24.4.42
  port: 139
  alertDetails: Traffic Source: int0 ;
  As you can see, looks like a pretty normal SMB packet. This sensor is on an internal network, so Windows file and printer sharing is the norm.
  I think there is a false positive issue that was introduced with the signature’s tuning via the S180 update. As a result, I have two questions:
  1) Am I right, or is the signature working as it should?
  2) Is anyone else having this problem?
  Any and all feedback will be greatly appreciated,
  Alex Arndt

  The new version of this signature should be included in the S182 update. As a workaround if you are using 5.x you may to create 2 meta signatures using this signature and the no-op sled signatures (3328 for better coverage create a meta associated with each one and the existing sig). In your component list be sure to set 3353 prior to 3328. Set unique attackers to 1, meta interval to 2, and component list in order to true. This should eliminate all benign triggers.

• How to determine is it SMB - Remote SAM server access , false positive?

  How to determine is it SMB - Remote SAM server access , false positive?

  5583-0 right?
  I would say that there are different types of false positives. Do you mean, how do I determine if what what was seen actually represents an attempt to access the SAM database? I would start by looking at MySDN (or whatever Cisco is calling it these days...intellishield?). It's often not very up to date and missing information, but it's an easy thing to check. Here's the link for this sig:
  https://intellishield.cisco.com/security/alertmanager/ipsSignature?signatureId=5583&signatureSubId=0
  If you look at the benign triggers, you'll see that it suggests that this only matters if the source is external. It's up to you whether to research any further. If you really want to inspect the signature further, you'll have to add one of the "log packets" actions. This will save a network trace when it fires again and then you can open it up in Wireshark, which understands SMB and will probably decode it enough for you to verify whether it actually was an attempt to access the "Remote SAM server".

• Lots of false positives on outbound SPAM filtering

  Starting around 5:30AM this morning a lot of our outbound e-mail began testing as positively identified SPAM.  In our environment I have positively identified outbound SPAM setup to go to a quarantine.
  In looking at the e-mails they are legitimate e-mails. 
  My first attempt was to lower the positively identified SPAM threshold from 75 to 50, had no effect.
  My second attempt was to exclude our internal domains so that e-mail hitting our IronPort appliances for internal recipients would be allowed through, positively identified SPAM or not.
  EDIT:  Reviewing some of the e-mails, some are a simple e-mail with text only and a single .pdf attachment.  Tested as positively identified SPAM.  Some have multiple hyper links but are to legitimate URLs.
  My questions:
  What changed this morning that is causing all of these false positives?
  What can I do differently to not let this occur again?
  Thanks...

  Really appreciate the replies...
  Bob, SBRS is disabled on my outbound mail and it also comes from private/internal IP addresses, does show "not enabled" in message tracking...
  After my post this morning our appliances (two C660s) were still false positiving a lot of outbound mail that was for external recipients (my filter was excluding internal domains)..  but after 1:00PM central or so they started declining and since 3:00PM there hasn't been a single one..   Could be the volume of e-mail is starting to go down a little but I'm guessing there was a CASE rules update...
  Now I just need to decide if I'm going to set the SPAM threshold back to what it was or just leave it alone..  We have had a problem with internal users getting their mail accounts compromised and send out a lot of phishing e-mails that I have been trying to block.

• How can you distinguish a 'false positive'?

  The IPS generated an alert, SMB Remote Registry Access Attempt. How to investigate the alert? I ran a couple of spyware programs on the host and found some cookies-generaly clean. At what point is the alert resigned as a false positive?
  “Triggers when a client attempts to access the registry on the Windows server. Microsoft tools like REGEDIT provide the ability to access a servers registry over the network. There are several hacking tools that also provide similar capabilities. Every attempted access will cause an alarm to be sent. An attacker can cause serious damage to a computer system by changing the registry.”
  appInstanceId: 403
  signature: description=SMB Remote Registry Access Attempt id=5579 version=S264
  subsigId: 1
  marsCategory: Probe/Host/WinRegistry

  You should start by looking for documented benign triggers:
  https://intellishield.cisco.com/security/alertmanager/ipsSignature?signatureId=5579&signatureSubId=0
  In this case, the benign triggers should tell you what you need to know.

• Cellular signal becomes false positive

  Everything works fine, except after a while the cellular signal becomes a false positive. By this I mean the upper left corner continue to read "Verizon 4G LTE" with a few bars, but there's actually no signal. All apps that require the Internet doesn't work. It's an easy fix though — in Settings, the Cellular Data has to be turned off, then turned back on. And by "after a while" I mean when it falls into sleep mode after a FaceTime session, then awoken. Not sure exactly how long afterwards. Not sure if it's consistently after one nap or longer. Not sure if running other apps would do the same thing.
  Question is:
  Is this normal?
  I can imagine the upside is that you don't waste data in a prepaid data plan like when background apps continue to run.
  The dreadful downside, however, is that any incoming FaceTime call cannot get through.
  If this is NOT normal, is it a common glitch/bug/quirk? And how to fix it?
  iPad3, OS 6.0.1

  You can't begin measuring velocity until it is positive unless you have already been measuring velocity.
  The solution is to always do the measurement.  Evaluate it with a >0.  In the true condition, then do whatever it is you want to do.

• False Positives with GRC AC 5.2

  Hi,
  I actually have been working with GRC AC 5.2 (Compliance Calibrator) and we encountered several problems with false positives, working in the risk analysis.
  ¿do anyone knows how to solve this problem? ¿do you have documents or links to help?
  Thanks,
  Ricardo.

  Thank you Alpesh for response.
  In fact, i have several problem with false positives, but with transactional level. For example, i have a user with pfcg and su01 transaction. The configutation of profiles in SAP r/3 system do not allow to user involved in this, to execute both transactions in end-to-end process, i mean, the user have a transaction vía s_tcode object, have some other objects related with pfcg and su01 transactions, but he doesn´t have the values that allow to a transactions work properly. Then the Compliance Calibrator informs risks that it doesn´t exists.
  It seems that is a ruleset configuration problem in the CC, then my question is, ¿the standard ruleset detects properly these problems?
  Let my explain the reason that causes the problem.
  We have been working with personalized ruleset, for customer-request. For that reason we look the usobt_c table and we form the ruleset-->functions in CC so that this functions were equal to usobt_c table. We did that because the standard ruleset shows false positives, such as first example of this post.
  Thank you very much,
  RCL.
  Edited by: Ricardo  Carrasco on Jun 18, 2009 11:58 PM

• LMS 4.2.2 DFM still not possible to disable Duplicate IP false positives?

  I found one discussion about Cisco Works 2.6 where it is pointed out that duplicate IP alerts cannot be disabled in LMS.
  Now I have a installation with 2 core switches, one has all VLAN Interfaces up, the second one the same interfaces with SAME IP addresses in shutdown state.
  DFM still recognizes these similar IP configuration on two boxes as duplicate ip situation, but it shouldn't because they are all shutdown.
  Is it possible to disable these false positives in DFM?
  Thanks for any hints!

  I found one discussion about Cisco Works 2.6 where it is pointed out that duplicate IP alerts cannot be disabled in LMS.
  Now I have a installation with 2 core switches, one has all VLAN Interfaces up, the second one the same interfaces with SAME IP addresses in shutdown state.
  DFM still recognizes these similar IP configuration on two boxes as duplicate ip situation, but it shouldn't because they are all shutdown.
  Is it possible to disable these false positives in DFM?
  Thanks for any hints!

• Comparing documents and false positives

  Hello,
  I often have to send a proof of a book to a printer. The proof is a PDF. When they return a soft proof--another PDF that they will use to print--I need to quickly compare the two to make sure that there have been no changes in the text.
  The Compare Documents feature certainly beats a side-by-side eyeball scan. But I often get a lot of false positives, words are flagged that actually have not changed.
  It appears that my PDF, exported from InDesign has some hidden discretionary hyphens. In ID these are used to make sure a word breaks at the end of the line at the correct syllable. They are invisible when printed. In a PDF these are not necessary because the text ain't gonna reflow, right?
  But when I compare the soft proof to the original PDF, words with discretionary hyphens are flagged. Somehow the printer has stripped the discretionary hyphens. That's fine but what must I do to get rid of them in my PDF?
  Below is an example. The PDF shown is the one from the printer. The comment box shows the difference from the original PDF, though there is in fact no difference on the page.
  Any advice would be appreciated.
  Tom

  I like Acrobat's text comparisons, which have saved me from bad goofs several times -- mostly stray key-strokes, but once I caught an InDesign footnote numbering snafu.  However, the false positives have always been annoying even without flagging every single discretionary hyphen.
  I imagine you have tried the image method for comparisons, a modern version of the old trick of putting printouts of the old and new versions of a page on a light table to find differences.
  I don't recall seeing comments of the type "undefined", but does re-sorting comments by type at least isolate these so you can step through the rest?  I'm no scripter, but can a javascript mark or eliminate comments containing hyphens?
  More drastic, would it be worth trying to eliminate the discretionary hyphens?  For instance, you could apply Harb's "Freeze Composition" in InDesign, and then search-and-replace all discretionary hyphens.  (Read the comments on the In-Tools site, as well as those in the InDesignSecrets blog it links to because you might want to modify the way it handles hyphens.)
  Good luck!
  David

• False Positives for id=12713 version=S149

  Just started receiving numerous firings of 12713. Looks like false positives. Is anyone else observing this?
  Cisco MARS is creating the following : System Rule: DoS: Network - Success Likely
  thanks
  John Stark

  This is indeed a false positive. You can either filter out trusted hosts or create a metasignature using this signature as a component to reduce the chance of false positives.
  Tune signature 3327-6 and remove the produce alert action.
  Create a custom signature as follows:
  Engine Meta
  Component list:
  3327-6
  3328-0
  Meta-reset-interval = 2
  Severity high
  Summarize
  Met-key = Axxx – 1 unique victim
  Component-list-in order = false
  Event action: produce alert
  This signature will only fire when signatures 3327-6 and 3328-0 fire. Since 3327-6 would have no event action of its own you would not see alerts from it.
  Note that this signature does not have as high fidelity as the original 3327-6, that being said signature 3327-0 detects almost all public exploits for this vulnerability. We will note this in the NSDB.