
<div dir="ltr"><div>Having turned on that rule and gotten 100 hits for it in two minutes, does anyone know what the normal background TLS heartbeat checking is?<br><br></div>Does every https connection do it anyway?<br></div>


<div class="gmail_extra"><br><br><div class="gmail_quote">On Tue, Apr 8, 2014 at 4:10 PM, Shirkdog <span dir="ltr"><<a href="mailto:shirkdog@gmail.com" target="_blank">shirkdog@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">


#Edit<br>

#alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"ET CURRENT_EVENTS<br>

Heartbleed TLS HeartBeat Request"; flow:established; content:"|18<br>

03|"; pcre:"/[\x00\x01\x02]{1}/R"; reference:cve,2014-0160;<br>

reference:url,<a href="http://tools.ietf.org/html/rfc6520" target="_blank">tools.ietf.org/html/rfc6520</a>;<br>

reference:url,<a href="http://heartbleed.com/" target="_blank">http://heartbleed.com/</a>; classtype:bad-unknown; sid:13;<br>

rev:2;)<br>

<br>

---<br>

Michael Shirk<br>

<br>

<br>

On Mon, Apr 7, 2014 at 11:05 PM, Shirkdog <<a href="mailto:shirkdog@gmail.com">shirkdog@gmail.com</a>> wrote:<br>

> #Since this is not very common (have not seen any yet) for now, just<br>

> look for the Heartbeat request with the versions of TLS and the<br>

> Heartbeat request type "01"<br>

> #Might live on as a threshold rule but still, disable by default<br>

> #<br>

> #alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"ET CURRENT_EVENTS<br>

> Heartbleed TLS HeartBeat Request"; flow:established; content:"|18<br>

> 03|"; pcre:"/[\x00\x01\x02]{1}/R"; content:"|01|"; distance:2;<br>

> within:1; reference:cve,2014-0160;<br>

> reference:url,<a href="http://tools.ietf.org/html/rfc6520" target="_blank">tools.ietf.org/html/rfc6520</a>;<br>

> reference:url,<a href="http://heartbleed.com/" target="_blank">http://heartbleed.com/</a>; classtype:bad-unknown; sid:13;<br>

> rev:1;)<br>

><br>

><br>

><br>

> ---<br>

> Michael Shirk<br>

_______________________________________________<br>

Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a><br>

Site: <a href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" target="_blank">http://suricata-ids.org/support/</a><br>

List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>

OISF: <a href="http://www.openinfosecfoundation.org/" target="_blank">http://www.openinfosecfoundation.org/</a><br>

</blockquote></div><br></div>