Yesterday the security community as a whole was scrambling in reaction to the news of the Shellshock vulnerability (GNU Bash ulnerability – (CVE-2014-6271). While your teams rush to identify and patch potentially vulnerable platforms in your environment, it is important to keep in mind that this latest vulnerability can be exploited in a wide variety of forms and across multiple-attack surfaces. You cannot count on a single control type to detect exploitation of this vulnerability.
That being said, some of our own internal power users of RSA Security Analytics have been whittling away at possible detection scenarios utilizing a variety of content types. One of these efforts resulted in the attached flex parser for your packet decoders. This is a “quick and dirty” parser to help detect web-based Shellshock exploit activity.
This is being shared in the interest of hastening your ability to identify Shellshock activity over what will be its most popular and accessible conduit into your network, web traffic. Please keep in mind that there are many, many other avenues in which this vulnerability may be exploited. While we feel confident in the core ability of this parser to detect exploit attempts, it is not designed to take into account other network conduits from which the vulnerability can be exploited.
Lastly this is not a production piece of content. There is no formal support, warranty or indemnity for the parser and your mileage may
As the teams device new ways to address specific attack vectors we'll be posting them, with the same caveats. There is no "magic bullet" piece of content for detecting all possible exploits so stay tuned for updates.