[Oisf-users] heartbleed

Victor Julien lists at inliniac.net
Wed Jan 11 14:50:26 UTC 2017

On 11-01-17 13:34, Vieri wrote:
> Hi,
> I'm having a few hits on the following rule:
> tcp any any -> $HOME_NET any (msg:"ET CURRENT_EVENTS TLS HeartBeat Request (Client Initiated) fb set"; flow:established,to_server; content:"|18 03|"; depth:2; byte_test:1,<,4,2; flowbits:isnotset,ET.HB.Response.CI; flowbits:set,ET.HB.Request.CI; flowbits:noalert; reference:cve,2014-0160; reference:url,blog.inliniac.net/2014/04/08/detecting-openssl-heartbleed-with-suricata/; reference:url,heartbleed.com/; reference:url,blog.fox-it.com/2014/04/08/openssl-heartbleed-bug-live-blog/; classtype:bad-unknown; sid:2018376; rev:4;)
> In my case, this usually happens when clients in EXTERNAL_NET try to access HOME_NET via TCP 3389 (RDP).
> These are supposed to be "legitimate" client connections.
> Should I assume that the clients are using an outdated openssl-based RDP client?

I think the rules we ship with Suricata itself, sids 2230011 to 2230014
[1] are more reliable as they depend on the protocol parser.



Victor Julien
PGP: http://www.inliniac.net/victorjulien.asc

More information about the Oisf-users mailing list