on linux with iptables there are these two lines to capture/drop attempts tu use bash weakness:

# iptables -A INPUT -m string --algo bm --hex-string '|28 29 20 7B|' -j DROP
# ip6tables -A INPUT -m string --algo bm --hex-string '|28 29 20 7B|' -j DROP

howto use that lines in MT firewall ?

Regards,

Tlamik

I was hoping someone would have answered your question thus far... but since no answer has come forward, I'm going to guess that this MAY be what we are both looking for, I've just made this up based on what little I know about Tiks

NOTE: Consider when I tell you that I'm no expert and I'm probably very wrong but...

This should pick up shellshock traffic and put the IP addresses that attempt it into the address table "shellshock". If there is any way to test, you should see entries show in the list, and if so, making a simple drop rule for INPUT and FORWARD traffic wouldn't be difficult.

Playing with the timeout to something more reasonable may be prudent in the event of a false alarm or me being too stupid to convert iptables to Tik layer 7.

/ip firewall layer7-protocol
add name=shellshock regexp="^\28\29\20\7B"
/ip firewall mangle
add chain=prerouting action=add-dst-to-address-list protocol=tcp address-list=shellshock \
address-list-timeout=0s layer7-protocol=shellshock in-interface=bridge-wan

Please please let me know if you find a way to test and confirm this, since I have 1 old machine from a billion years ago that cannot be upgraded and I had to create this type of rule also: just can't figure out how to test over network..

Hi there,

by now the topic is a little bit outdated, but just in case anyone stumbles across this through google (like I did),
here is what we did to block shellshock.

To explain Mikrotik rules, let's discuss this example:

^.*(get|GET|post|POST).+(\(\))

As you see, you need to set your expression in () and escape the real () as \(\)

I recommend this article, as it explains the get/post part and how an attack works:

http://blog.cloudflare.com/inside-shellshock/

But this just checks for "()" instead of "() {", but helped us in the first days, giving time to patch our servers.

To make things worse there are (at the moment) at least 6 different ways to exploit shellshock.

And one way to circumvent your hex-code rule is using more spaces like "() {"

Long story short, this regex checks for spaces and tabs, too:

^.*(get|GET|post|POST).+(\(\)\s*\t*\{.*;\s*\}\s*)

---

Back to MikroTik, what we do is:

added one filter rule at the very top that drops everything from src adress list "xyz"
added a second rule that checks for the above layer7 regex, action: add src to adress list "xyz" with timeout 2days

Make sure you use the rules in that order, so if an attacker comes back within 2days, doesn't need to be checked again, gets dropped by the 1st rule. Of course the name of the adress list is completely up to you.

The part with 2days is made to keep adress list short, maybe you just have a little Routerboard instead of a CCR, then layer7 filter can consume a lot processing power depending on your load, cause every single packed gets checked against all IP's in the adress list in real-time.

Anyway, most shellshocker these days are:
a) script kiddies or bots with try and error, if they get blocked, they search elsewhere (and if they come back, get blocked for another 2 days)
b) scanning sites/companies that do these "awesome" reports in the news like "73,42% of 17.934 servers in xyz country are vulnerable"

Sure, we want to block the little %'s of bad guys, thats why we are here.

In our case, this regex blocked 325 IP's within the first 24h after setup.

---

Credits
btw. found the regex here:

https://twitter.com/MalwrSignatures/sta ... 1086248960