[Oisf-users] Signature for the TLS Heartbeat extension
Shirkdog
shirkdog at gmail.com
Tue Apr 8 03:05:43 UTC 2014
#Since this is not very common (have not seen any yet) for now, just
look for the Heartbeat request with the versions of TLS and the
Heartbeat request type "01"
#Might live on as a threshold rule but still, disable by default
#
#alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"ET CURRENT_EVENTS
Heartbleed TLS HeartBeat Request"; flow:established; content:"|18
03|"; pcre:"/[\x00\x01\x02]{1}/R"; content:"|01|"; distance:2;
within:1; reference:cve,2014-0160;
reference:url,tools.ietf.org/html/rfc6520;
reference:url,http://heartbleed.com/; classtype:bad-unknown; sid:13;
rev:1;)
---
Michael Shirk
More information about the Oisf-users
mailing list