[Oisf-users] Signature for the TLS Heartbeat extension

Shirkdog shirkdog at gmail.com
Tue Apr 8 03:05:43 UTC 2014

#Since this is not very common (have not seen any yet) for now, just
look for the Heartbeat request with the versions of TLS and the
Heartbeat request type "01"
#Might live on as a threshold rule but still, disable by default
#alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"ET CURRENT_EVENTS
Heartbleed TLS HeartBeat Request"; flow:established; content:"|18
03|"; pcre:"/[\x00\x01\x02]{1}/R"; content:"|01|"; distance:2;
within:1; reference:cve,2014-0160;
reference:url,http://heartbleed.com/; classtype:bad-unknown; sid:13;

Michael Shirk

More information about the Oisf-users mailing list