This section shows an example of the rules required to mitigate the Shellshock Bash attack. There are two rules needed in this case. Details of both rules are provided in the sections below.

First Rule

This is the first rule:

SecRule REQUEST_LINE|REQUEST_HEADERS|REQUEST_HEADERS_NAMES "@contains () {" \

    "id:2100080,\

    phase:1,\

    block,\

    t:none,t:utf8toUnicode,t:urlDecodeUni,t:compressWhitespace,\

    msg:'SLR: Bash ENV Variable Injection Attack',\

    tag:'CVE-2014-6271',\

    tag:'http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271',\

    tag:'https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/'"

Variables

Details about the variables in this example rule are provided in the table below:

Variable

Definition

 
REQUEST_LINE

This variable holds the complete request line sent to the server (including the request method and HTTP version information).

 
REQUEST_HEADERS

All of the request headers

 
REQUEST_HEADERS_NAMES

All of the names of the request headers.

Operator

"@contains () {" – Checks the REQUEST_LINE|REQUEST_HEADERS|REQUEST_HEADERS_NAMES variables for the string ‘() {’ and returns true if found.

Actions

Action(s)

Description

 
phase:1

Places the rule (or chain) in Phase 1 processing. There are five phases, including:

  • Request Headers (1)
  • Request Body (2)
  • Response Headers (3)
  • Response Body (4)
  • Logging (5)
 
id:'2100080'

The unique ID that is assigned to this rule (or chain) in which it appears.

 
block

This performs the disruptive action defined by the previous SecDefaultAction. This allows rule writers to request a blocking action without specifying how the blocking is to be done. The SecRuleUpdateActionById directive allows you to override how a rule handles blocking. Please refer to the Rule Block Function section for further details.

 
t:none

Indicates that no action is used to transform the value of the variable used in the rule before matching.

 
t:utf8toUnicode

Converts all UTF-8 character sequences to Unicode to assist in input normalization.

 
t:urlDecodeUni

Decodes a URL-encoded input string with support for the Microsoft-specific %u encoding.

 
t:compressWhitespace

Converts any of the whitespace characters (0x20, \f, \t, \n, \r, \v, 0xa0) to spaces (ASCII 0x20), compressing multiple consecutive space characters into one.

 
msg:'SLR: Bash ENV Variable Injection Attack',tag:'CVE-2014-6271'

The custom message (i.e. XSS Attack) assigned to the rule (or chain) in which it appears.

 
tag:'http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271'
tag:'https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/'

Assigns a tag (category) to a rule (or chain). This is metadata allows easy automated categorization of events. Multiple tags can be specified on the same rule.

Second Rule

The second rule is as follows:

SecRule REQUEST_BODY "@contains () {" \

    "id:2100081,\

    phase:2,\

    block,\

    t:none,t:utf8toUnicode,t:urlDecodeUni,t:compressWhitespace,\

    msg:'SLR: Bash ENV Variable Injection Attack',\

    tag:'CVE-2014-6271',\

    tag:'http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271',\

    tag:'https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/'"

Variables

Variable Name: REQUEST_BODY

Variable Definition: All of the request body.

Operator

"@contains () {" – Checks the REQUEST_BODY variable for the string ‘() {’ and returns true if found.

Actions

Action(s)

Description

 
phase:2

Places the rule (or chain) in Phase 2 processing. There are five phases, including:

  • Request Headers (1)
  • Request Body (2)
  • Response Headers (3)
  • Response Body (4)
  • Logging (5)
 
id:'2100081'

The unique ID that is assigned to this rule (or chain) in which it appears.

 
block

This performs the disruptive action defined by the previous SecDefaultAction. This allows rule writers to request a blocking action, but without specifying how the blocking is to be done. The SecRuleUpdateActionById directive allows you to override how a rule handles blocking. Please refer to the Rule Block Function section for further details.

 
t:none

Indicates that no action is used to transform the value of the variable used in the rule before matching.

 
t:utf8toUnicode

Converts all UTF-8 character sequences to Unicode to assist in input normalization.

 
t:urlDecodeUni

Decodes a URL-encoded input string with support for the Microsoft-specific %u encoding.

 
t:compressWhitespace

Converts any of the whitespace characters (0x20, \f, \t, \n, \r, \v, 0xa0) to spaces (ASCII 0x20), compressing multiple consecutive space characters into one.

 
msg:'SLR: Bash ENV Variable Injection Attack',tag:'CVE-2014-6271'

The custom message (i.e. XSS Attack) assigned to the rule (or chain) in which it appears.

 
tag:'http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271'
tag:'https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/'

Assigns a tag (category) to a rule (or chain). This is metadata which allows easy automated categorization of events. Multiple tags can be specified on the same rule.