[Oisf-users] Signature for the TLS Heartbeat extension

[Mark Ashley]

Having turned on that rule and gotten 100 hits for it in two minutes, does
anyone know what the normal background TLS heartbeat checking is?

Does every https connection do it anyway?


On Tue, Apr 8, 2014 at 4:10 PM, Shirkdog <shirkdog at gmail.com> wrote:

> #Edit
> #alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"ET CURRENT_EVENTS
> Heartbleed TLS HeartBeat Request"; flow:established; content:"|18
> 03|"; pcre:"/[\x00\x01\x02]{1}/R"; reference:cve,2014-0160;
> reference:url,tools.ietf.org/html/rfc6520;
> reference:url,http://heartbleed.com/; classtype:bad-unknown; sid:13;
> rev:2;)
>
> ---
> Michael Shirk
>
>
> On Mon, Apr 7, 2014 at 11:05 PM, Shirkdog <shirkdog at gmail.com> wrote:
> > #Since this is not very common (have not seen any yet) for now, just
> > look for the Heartbeat request with the versions of TLS and the
> > Heartbeat request type "01"
> > #Might live on as a threshold rule but still, disable by default
> > #
> > #alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"ET CURRENT_EVENTS
> > Heartbleed TLS HeartBeat Request"; flow:established; content:"|18
> > 03|"; pcre:"/[\x00\x01\x02]{1}/R"; content:"|01|"; distance:2;
> > within:1; reference:cve,2014-0160;
> > reference:url,tools.ietf.org/html/rfc6520;
> > reference:url,http://heartbleed.com/; classtype:bad-unknown; sid:13;
> > rev:1;)
> >
> >
> >
> > ---
> > Michael Shirk
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20140408/0df618df/attachment-0002.html>