diff --git a/bash-cve-2014-6271/bash-cve-2014-6271.bro b/bash-cve-2014-6271/bash-cve-2014-6271.bro
index 4c1d2f1..145bc8b 100644
--- a/bash-cve-2014-6271/bash-cve-2014-6271.bro
+++ b/bash-cve-2014-6271/bash-cve-2014-6271.bro
@@ -6,6 +6,7 @@
 # CHANGES:
 #	2014-9-24 Initial support for http header vector via mod_cgi
 #	2014-9-25 Added support for ignoring subnets to subnets
+#   2014-9-25 Slightly more permissive regex and added connect-back detection, as well as URI detection
 
 module Bash;
 
@@ -13,15 +14,18 @@ export {
 	redef enum Notice::Type += {
 		## Indicates that a host may have attempted a bash cgi header attack
 		HTTP_Header_Attack,
+		HTTP_URI_Attack,
+        Connect_Back,
 	};
 
     # exclude hosts or entire networks from being tracked as potential "scanners".
     # index is conneciton subnet originators, yield is connection subnet responders
     const ignore_scanners: table[subnet] of subnet &redef;
 
-
 }
 
+global shellshock_hosts: set[addr] &create_expire=10min &synchronized;
+
 event http_header(c: connection, is_orig: bool, name: string, value: string) &priority=3
 	{
 
@@ -37,7 +41,38 @@ event http_header(c: connection, is_orig: bool, name: string, value: string) &pr
 				$conn=c,
 				$msg=fmt("%s may have attempted to exploit CVE-2014-6271, bash environment variable attack, via HTTP mod_cgi header against %s submitting \"%s\"=\"%s\"",c$id$orig_h, c$id$resp_h, name, value),
 				$identifier=c$uid]);
+            add shellshock_hosts[c$id$resp_h];
 			}
 		}
 	
 	}
+
+event http_request(c: connection, method: string, original_URI: string, unescaped_URI: string, version: string)
+    {
+    if ( c$id$orig_h in ignore_scanners && c$id$resp_h in ignore_scanners[c$id$orig_h] )
+        return;
+    if ( /\x28\x29\x20\x7b\x20/ in unescaped_URI)
+        {
+        NOTICE([$note=Bash::HTTP_URI_Attack,
+            $conn=c,
+            $msg=fmt("%s may have attempted to exploit CVE-2014-6271, bash environment variable attack, via HTTP mod_cgi URL against %s", c$id$orig_h, c$id$resp_h),
+            $identifier=c$uid]);
+        add shellshock_hosts[c$id$resp_h];
+        }
+    }
+
+event Conn::log_conn(rec: Conn::Info)
+    {
+        if ( rec$id$resp_h in shellshock_hosts && rec$id$resp_h == rec$id$orig_h )
+            {
+            local c: connection;
+            local cid: conn_id;
+            c$id = cid;
+            c$uid = rec$uid;
+            c$id$orig_h = rec$id$orig_h;
+            c$id$resp_h = rec$id$resp_h;
+            c$id$resp_p = rec$id$resp_p;
+            NOTICE([$note=Bash::Connect_Back, $msg=fmt("Possible connect back from detected CVE-2014-6271 exploit(%s)", rec$id$resp_h), 
+                    $conn=c]);
+            }
+    }