<div dir="ltr"><div>Having turned on that rule and gotten 100 hits for it in two minutes, does anyone know what the normal background TLS heartbeat checking is?<br><br></div>Does every https connection do it anyway?<br></div>
<div class="gmail_extra"><br><br><div class="gmail_quote">On Tue, Apr 8, 2014 at 4:10 PM, Shirkdog <span dir="ltr"><<a href="mailto:shirkdog@gmail.com" target="_blank">shirkdog@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
#Edit<br>
#alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"ET CURRENT_EVENTS<br>
Heartbleed TLS HeartBeat Request"; flow:established; content:"|18<br>
03|"; pcre:"/[\x00\x01\x02]{1}/R"; reference:cve,2014-0160;<br>
reference:url,<a href="http://tools.ietf.org/html/rfc6520" target="_blank">tools.ietf.org/html/rfc6520</a>;<br>
reference:url,<a href="http://heartbleed.com/" target="_blank">http://heartbleed.com/</a>; classtype:bad-unknown; sid:13;<br>
rev:2;)<br>
<br>
---<br>
Michael Shirk<br>
<br>
<br>
On Mon, Apr 7, 2014 at 11:05 PM, Shirkdog <<a href="mailto:shirkdog@gmail.com">shirkdog@gmail.com</a>> wrote:<br>
> #Since this is not very common (have not seen any yet) for now, just<br>
> look for the Heartbeat request with the versions of TLS and the<br>
> Heartbeat request type "01"<br>
> #Might live on as a threshold rule but still, disable by default<br>
> #<br>
> #alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"ET CURRENT_EVENTS<br>
> Heartbleed TLS HeartBeat Request"; flow:established; content:"|18<br>
> 03|"; pcre:"/[\x00\x01\x02]{1}/R"; content:"|01|"; distance:2;<br>
> within:1; reference:cve,2014-0160;<br>
> reference:url,<a href="http://tools.ietf.org/html/rfc6520" target="_blank">tools.ietf.org/html/rfc6520</a>;<br>
> reference:url,<a href="http://heartbleed.com/" target="_blank">http://heartbleed.com/</a>; classtype:bad-unknown; sid:13;<br>
> rev:1;)<br>
><br>
><br>
><br>
> ---<br>
> Michael Shirk<br>
_______________________________________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" target="_blank">http://suricata-ids.org/support/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" target="_blank">https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users</a><br>
OISF: <a href="http://www.openinfosecfoundation.org/" target="_blank">http://www.openinfosecfoundation.org/</a><br>
</blockquote></div><br></div>