<div dir="ltr">It's strange that you are seeing hits because this rule has 'flowbits:noalert;' in it.<br><br>This rule is designed set the flowbits for another rule:<br><br>alert tcp $HOME_NET any -> any any (msg:"ET CURRENT_EVENTS Possible OpenSSL HeartBleed Large HeartBeat Response (Client Init Vuln Server)"; flow:established,to_client; content:"|18 03|"; depth:2; byte_test:1,<,4,2; flowbits:isset,<a href="http://ET.HB.Request.CI">ET.HB.Request.CI</a>; flowbits:isnotset,<a href="http://ET.HB.Response.CI">ET.HB.Response.CI</a>; flowbits:set,<a href="http://ET.HB.Response.CI">ET.HB.Response.CI</a>; flowbits:unset,<a href="http://ET.HB.Request.CI">ET.HB.Request.CI</a>; byte_test:2,>,150,3; threshold:type limit,track by_src,count 1,seconds 120; reference:cve,2014-0160; reference:url,<a href="http://blog.inliniac.net/2014/04/08/detecting-openssl-heartbleed-with-suricata/">blog.inliniac.net/2014/04/08/detecting-openssl-heartbleed-with-suricata/</a>; reference:url,<a href="http://heartbleed.com/">heartbleed.com/</a>; reference:url,<a href="http://blog.fox-it.com/2014/04/08/openssl-heartbleed-bug-live-blog/">blog.fox-it.com/2014/04/08/openssl-heartbleed-bug-live-blog/</a>; classtype:bad-unknown; sid:2018377; rev:3;)<br><div><br></div><div>Does your local ruleset have 'flowbits:noalert;'?  Are you seeing hits for 2018377?</div><div><br></div><div><br></div><div><br></div><div><br></div></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Jan 11, 2017 at 5:34 AM, Vieri <span dir="ltr"><<a href="mailto:rentorbuy@yahoo.com" target="_blank">rentorbuy@yahoo.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi,<br>
<br>
I'm having a few hits on the following rule:<br>
<br>
tcp any any -> $HOME_NET any (msg:"ET CURRENT_EVENTS TLS HeartBeat Request (Client Initiated) fb set"; flow:established,to_server; content:"|18 03|"; depth:2; byte_test:1,<,4,2; flowbits:isnotset,<a href="http://ET.HB.Response.CI" rel="noreferrer" target="_blank">ET.HB.<wbr>Response.CI</a>; flowbits:set,<a href="http://ET.HB.Request.CI" rel="noreferrer" target="_blank">ET.HB.Request.CI</a>; flowbits:noalert; reference:cve,2014-0160; reference:url,<a href="http://blog.inliniac.net/2014/04/08/detecting-openssl-heartbleed-with-suricata/" rel="noreferrer" target="_blank">blog.inliniac.<wbr>net/2014/04/08/detecting-<wbr>openssl-heartbleed-with-<wbr>suricata/</a>; reference:url,<a href="http://heartbleed.com/" rel="noreferrer" target="_blank">heartbleed.com/</a>; reference:url,<a href="http://blog.fox-it.com/2014/04/08/openssl-heartbleed-bug-live-blog/" rel="noreferrer" target="_blank">blog.fox-it.com/<wbr>2014/04/08/openssl-heartbleed-<wbr>bug-live-blog/</a>; classtype:bad-unknown; sid:2018376; rev:4;)<br>
<br>
In my case, this usually happens when clients in EXTERNAL_NET try to access HOME_NET via TCP 3389 (RDP).<br>
These are supposed to be "legitimate" client connections.<br>
<br>
Should I assume that the clients are using an outdated openssl-based RDP client?<br>
<br>
Thanks,<br>
<br>
Vieri<br>
______________________________<wbr>_________________<br>
Suricata IDS Users mailing list: <a href="mailto:oisf-users@openinfosecfoundation.org">oisf-users@<wbr>openinfosecfoundation.org</a><br>
Site: <a href="http://suricata-ids.org" rel="noreferrer" target="_blank">http://suricata-ids.org</a> | Support: <a href="http://suricata-ids.org/support/" rel="noreferrer" target="_blank">http://suricata-ids.org/<wbr>support/</a><br>
List: <a href="https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users" rel="noreferrer" target="_blank">https://lists.<wbr>openinfosecfoundation.org/<wbr>mailman/listinfo/oisf-users</a><br>
</blockquote></div><br></div>