[Oisf-users] Signature for the TLS Heartbeat extension
Shirkdog
shirkdog at gmail.com
Tue Apr 8 07:31:32 UTC 2014
alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"ET CURRENT_EVENTS
Heartbleed TLSv1.1 HeartBeat Request"; flow:established; content:"|18 03
02 00 03 01 40 00|"; reference:cve,2014-0160;
reference:url,tools.ietf.org/html/rfc6520;
reference:url,http://heartbleed.com/; classtype:bad-unknown; sid:14;
rev:1;)
alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"ET CURRENT_EVENTS
Heartbleed TLSv1.2 HeartBeat Request"; flow:established; content:"|18 03
03 00 03 01 40 00|"; reference:cve,2014-0160;
reference:url,tools.ietf.org/html/rfc6520;
reference:url,http://heartbleed.com/; classtype:bad-unknown; sid:15;
rev:1;)
---
Michael Shirk
On Tue, Apr 8, 2014 at 3:27 AM, Shirkdog <shirkdog at gmail.com> wrote:
> I have another update based on the attack tool that works currently:
>
> alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"ET CURRENT_EVENTS
> Heartbleed TLS HeartBeat Request"; flow:established; content:"|18 03
> 01 00 03 01 40 00|"; reference:cve,2014-0160;
> reference:url,tools.ietf.org/html/rfc6520;
> reference:url,http://heartbleed.com/; classtype:bad-unknown; sid:13;
> rev:3;)
>
> This looks for the HeartBeat Request, with a length of 3 bytes, but a
> Heartbeat Message with the size set to 16384.
>
> ---
> Michael Shirk
>
>
> On Tue, Apr 8, 2014 at 3:13 AM, Mark Ashley <mark at ibiblio.org> wrote:
>> Having turned on that rule and gotten 100 hits for it in two minutes, does
>> anyone know what the normal background TLS heartbeat checking is?
>>
>> Does every https connection do it anyway?
>>
>>
>> On Tue, Apr 8, 2014 at 4:10 PM, Shirkdog <shirkdog at gmail.com> wrote:
>>>
>>> #Edit
>>> #alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"ET CURRENT_EVENTS
>>> Heartbleed TLS HeartBeat Request"; flow:established; content:"|18
>>> 03|"; pcre:"/[\x00\x01\x02]{1}/R"; reference:cve,2014-0160;
>>> reference:url,tools.ietf.org/html/rfc6520;
>>> reference:url,http://heartbleed.com/; classtype:bad-unknown; sid:13;
>>> rev:2;)
>>>
>>> ---
>>> Michael Shirk
>>>
>>>
>>> On Mon, Apr 7, 2014 at 11:05 PM, Shirkdog <shirkdog at gmail.com> wrote:
>>> > #Since this is not very common (have not seen any yet) for now, just
>>> > look for the Heartbeat request with the versions of TLS and the
>>> > Heartbeat request type "01"
>>> > #Might live on as a threshold rule but still, disable by default
>>> > #
>>> > #alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"ET CURRENT_EVENTS
>>> > Heartbleed TLS HeartBeat Request"; flow:established; content:"|18
>>> > 03|"; pcre:"/[\x00\x01\x02]{1}/R"; content:"|01|"; distance:2;
>>> > within:1; reference:cve,2014-0160;
>>> > reference:url,tools.ietf.org/html/rfc6520;
>>> > reference:url,http://heartbleed.com/; classtype:bad-unknown; sid:13;
>>> > rev:1;)
>>> >
>>> >
>>> >
>>> > ---
>>> > Michael Shirk
>>> _______________________________________________
>>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>> OISF: http://www.openinfosecfoundation.org/
>>
>>
More information about the Oisf-users
mailing list