[Oisf-users] Signature for the TLS Heartbeat extension

Victor Julien lists at inliniac.net
Tue Apr 8 12:42:54 UTC 2014


On 04/08/2014 09:31 AM, Shirkdog wrote:
> alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"ET CURRENT_EVENTS
> Heartbleed TLSv1.1 HeartBeat Request"; flow:established; content:"|18 03
> 02 00 03 01 40 00|"; reference:cve,2014-0160;
> reference:url,tools.ietf.org/html/rfc6520;
> reference:url,http://heartbleed.com/; classtype:bad-unknown; sid:14;
> rev:1;)
> 
> alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"ET CURRENT_EVENTS
> Heartbleed TLSv1.2 HeartBeat Request"; flow:established; content:"|18 03
> 03 00 03 01 40 00|"; reference:cve,2014-0160;
> reference:url,tools.ietf.org/html/rfc6520;
> reference:url,http://heartbleed.com/; classtype:bad-unknown; sid:15;
> rev:1;)

My attempt at doing a lua script to detect this:

http://blog.inliniac.net/2014/04/08/detecting-openssl-heartbleed-with-suricata/

Feedback welcome!

Cheers,
Victor


> 
> 
> ---
> Michael Shirk
> 
> 
> On Tue, Apr 8, 2014 at 3:27 AM, Shirkdog <shirkdog at gmail.com> wrote:
>> I have another update based on the attack tool that works currently:
>>
>> alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"ET CURRENT_EVENTS
>> Heartbleed TLS HeartBeat Request"; flow:established; content:"|18 03
>> 01 00 03 01 40 00|"; reference:cve,2014-0160;
>> reference:url,tools.ietf.org/html/rfc6520;
>> reference:url,http://heartbleed.com/; classtype:bad-unknown; sid:13;
>> rev:3;)
>>
>> This looks for the HeartBeat Request, with a length of 3 bytes, but a
>> Heartbeat Message with the size set to 16384.
>>
>> ---
>> Michael Shirk
>>
>>
>> On Tue, Apr 8, 2014 at 3:13 AM, Mark Ashley <mark at ibiblio.org> wrote:
>>> Having turned on that rule and gotten 100 hits for it in two minutes, does
>>> anyone know what the normal background TLS heartbeat checking is?
>>>
>>> Does every https connection do it anyway?
>>>
>>>
>>> On Tue, Apr 8, 2014 at 4:10 PM, Shirkdog <shirkdog at gmail.com> wrote:
>>>>
>>>> #Edit
>>>> #alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"ET CURRENT_EVENTS
>>>> Heartbleed TLS HeartBeat Request"; flow:established; content:"|18
>>>> 03|"; pcre:"/[\x00\x01\x02]{1}/R"; reference:cve,2014-0160;
>>>> reference:url,tools.ietf.org/html/rfc6520;
>>>> reference:url,http://heartbleed.com/; classtype:bad-unknown; sid:13;
>>>> rev:2;)
>>>>
>>>> ---
>>>> Michael Shirk
>>>>
>>>>
>>>> On Mon, Apr 7, 2014 at 11:05 PM, Shirkdog <shirkdog at gmail.com> wrote:
>>>>> #Since this is not very common (have not seen any yet) for now, just
>>>>> look for the Heartbeat request with the versions of TLS and the
>>>>> Heartbeat request type "01"
>>>>> #Might live on as a threshold rule but still, disable by default
>>>>> #
>>>>> #alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"ET CURRENT_EVENTS
>>>>> Heartbleed TLS HeartBeat Request"; flow:established; content:"|18
>>>>> 03|"; pcre:"/[\x00\x01\x02]{1}/R"; content:"|01|"; distance:2;
>>>>> within:1; reference:cve,2014-0160;
>>>>> reference:url,tools.ietf.org/html/rfc6520;
>>>>> reference:url,http://heartbleed.com/; classtype:bad-unknown; sid:13;
>>>>> rev:1;)
>>>>>
>>>>>
>>>>>
>>>>> ---
>>>>> Michael Shirk
>>>> _______________________________________________
>>>> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
>>>> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
>>>> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
>>>> OISF: http://www.openinfosecfoundation.org/
>>>
>>>
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
> OISF: http://www.openinfosecfoundation.org/
> 


-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------




More information about the Oisf-users mailing list