[Oisf-users] Signature for the TLS Heartbeat extension

Victor Julien lists at inliniac.net
Wed Apr 9 12:31:52 UTC 2014


On 04/08/2014 02:42 PM, Victor Julien wrote:
> On 04/08/2014 09:31 AM, Shirkdog wrote:
>> alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"ET CURRENT_EVENTS
>> Heartbleed TLSv1.1 HeartBeat Request"; flow:established; content:"|18 03
>> 02 00 03 01 40 00|"; reference:cve,2014-0160;
>> reference:url,tools.ietf.org/html/rfc6520;
>> reference:url,http://heartbleed.com/; classtype:bad-unknown; sid:14;
>> rev:1;)
>>
>> alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"ET CURRENT_EVENTS
>> Heartbleed TLSv1.2 HeartBeat Request"; flow:established; content:"|18 03
>> 03 00 03 01 40 00|"; reference:cve,2014-0160;
>> reference:url,tools.ietf.org/html/rfc6520;
>> reference:url,http://heartbleed.com/; classtype:bad-unknown; sid:15;
>> rev:1;)
> 
> My attempt at doing a lua script to detect this:
> 
> http://blog.inliniac.net/2014/04/08/detecting-openssl-heartbleed-with-suricata/
> 
> Feedback welcome!

Pierre Chifflier has written detection logic for the Suricata TLS
parser. This is in our git master and will be part of 2.0.1. If you run
this code, enable these rules:

alert tls any any -> any any ( \
    msg:"SURICATA TLS overflow heartbeat encountered, possible exploit
attempt (heartbleed)"; \
    flow:established; app-layer-event:tls.overflow_heartbeat_message; \
    flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; \
    reference:cve,2014-0160; sid:2230012; rev:1;)
alert tls any any -> any any ( \
    msg:"SURICATA TLS invalid heartbeat encountered, possible exploit
attempt (heartbleed)"; \
    flow:established; app-layer-event:tls.invalid_heartbeat_message; \
    flowint:tls.anomaly.count,+,1; classtype:protocol-command-decode; \
    reference:cve,2014-0160; sid:2230013; rev:1;)

Ticket: https://redmine.openinfosecfoundation.org/issues/1173
Pull Request: https://github.com/inliniac/suricata/pull/924


Please, help us test and validate this!

-- 
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------




More information about the Oisf-users mailing list