[Oisf-users] Signature for the TLS Heartbeat extension
Shirkdog
shirkdog at gmail.com
Tue Apr 8 07:27:13 UTC 2014
I have another update based on the attack tool that works currently:
alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"ET CURRENT_EVENTS
Heartbleed TLS HeartBeat Request"; flow:established; content:"|18 03
01 00 03 01 40 00|"; reference:cve,2014-0160;
reference:url,tools.ietf.org/html/rfc6520;
reference:url,http://heartbleed.com/; classtype:bad-unknown; sid:13;
rev:3;)
This looks for the HeartBeat Request, with a length of 3 bytes, but a
Heartbeat Message with the size set to 16384.
---
Michael Shirk
On Tue, Apr 8, 2014 at 3:13 AM, Mark Ashley <mark at ibiblio.org> wrote:
> Having turned on that rule and gotten 100 hits for it in two minutes, does
> anyone know what the normal background TLS heartbeat checking is?
>
> Does every https connection do it anyway?
>
>
> On Tue, Apr 8, 2014 at 4:10 PM, Shirkdog <shirkdog at gmail.com> wrote:
>>
>> #Edit
>> #alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"ET CURRENT_EVENTS
>> Heartbleed TLS HeartBeat Request"; flow:established; content:"|18
>> 03|"; pcre:"/[\x00\x01\x02]{1}/R"; reference:cve,2014-0160;
>> reference:url,tools.ietf.org/html/rfc6520;
>> reference:url,http://heartbleed.com/; classtype:bad-unknown; sid:13;
>> rev:2;)
>>
>> ---
>> Michael Shirk
>>
>>
>> On Mon, Apr 7, 2014 at 11:05 PM, Shirkdog <shirkdog at gmail.com> wrote:
>> > #Since this is not very common (have not seen any yet) for now, just
>> > look for the Heartbeat request with the versions of TLS and the
>> > Heartbeat request type "01"
>> > #Might live on as a threshold rule but still, disable by default
>> > #
>> > #alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"ET CURRENT_EVENTS
>> > Heartbleed TLS HeartBeat Request"; flow:established; content:"|18
>> > 03|"; pcre:"/[\x00\x01\x02]{1}/R"; content:"|01|"; distance:2;
>> > within:1; reference:cve,2014-0160;
>> > reference:url,tools.ietf.org/html/rfc6520;
>> > reference:url,http://heartbleed.com/; classtype:bad-unknown; sid:13;
>> > rev:1;)
>> >
>> >
>> >
>> > ---
>> > Michael Shirk
>> _______________________________________________
>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>> OISF: http://www.openinfosecfoundation.org/
>
>
More information about the Oisf-users
mailing list