[Oisf-users] Signature for the TLS Heartbeat extension

Shirkdog shirkdog at gmail.com
Tue Apr 8 06:10:10 UTC 2014


#Edit
#alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"ET CURRENT_EVENTS
Heartbleed TLS HeartBeat Request"; flow:established; content:"|18
03|"; pcre:"/[\x00\x01\x02]{1}/R"; reference:cve,2014-0160;
reference:url,tools.ietf.org/html/rfc6520;
reference:url,http://heartbleed.com/; classtype:bad-unknown; sid:13;
rev:2;)

---
Michael Shirk


On Mon, Apr 7, 2014 at 11:05 PM, Shirkdog <shirkdog at gmail.com> wrote:
> #Since this is not very common (have not seen any yet) for now, just
> look for the Heartbeat request with the versions of TLS and the
> Heartbeat request type "01"
> #Might live on as a threshold rule but still, disable by default
> #
> #alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"ET CURRENT_EVENTS
> Heartbleed TLS HeartBeat Request"; flow:established; content:"|18
> 03|"; pcre:"/[\x00\x01\x02]{1}/R"; content:"|01|"; distance:2;
> within:1; reference:cve,2014-0160;
> reference:url,tools.ietf.org/html/rfc6520;
> reference:url,http://heartbleed.com/; classtype:bad-unknown; sid:13;
> rev:1;)
>
>
>
> ---
> Michael Shirk



More information about the Oisf-users mailing list