There are lots of posts regarding the shellshock vulnerability. I can understand the vulnerability in detail.
However, I'm curious about why any Intrusion detection system or host-based tools (e.g., antivirus systems) fails to detect it?
Some answers may include Snort does not have the appropriate signature, but at least there should be some other symptoms that network administrators should understand something going on abnormal in their network such as HTTP user agent string differs (host-based solutions checks that right?), the outbound traffic may increase abnormally, or number of processes or memory usage increase at the webservers than usual boundaries.
PS: This question is about the webservers that are vulnerable to shellshock attack. I mean by in advance that after a short time the attack is attempted by the attacker.
Aucun commentaire:
Enregistrer un commentaire