[Oisf-users] heartbleed

Vieri rentorbuy at yahoo.com
Wed Jan 11 12:34:29 UTC 2017


Hi,

I'm having a few hits on the following rule:

tcp any any -> $HOME_NET any (msg:"ET CURRENT_EVENTS TLS HeartBeat Request (Client Initiated) fb set"; flow:established,to_server; content:"|18 03|"; depth:2; byte_test:1,<,4,2; flowbits:isnotset,ET.HB.Response.CI; flowbits:set,ET.HB.Request.CI; flowbits:noalert; reference:cve,2014-0160; reference:url,blog.inliniac.net/2014/04/08/detecting-openssl-heartbleed-with-suricata/; reference:url,heartbleed.com/; reference:url,blog.fox-it.com/2014/04/08/openssl-heartbleed-bug-live-blog/; classtype:bad-unknown; sid:2018376; rev:4;)

In my case, this usually happens when clients in EXTERNAL_NET try to access HOME_NET via TCP 3389 (RDP).
These are supposed to be "legitimate" client connections.

Should I assume that the clients are using an outdated openssl-based RDP client?

Thanks,

Vieri


More information about the Oisf-users mailing list