[Oisf-users] heartbleed
Victor Julien
lists at inliniac.net
Wed Jan 11 14:50:26 UTC 2017
On 11-01-17 13:34, Vieri wrote:
> Hi,
>
> I'm having a few hits on the following rule:
>
> tcp any any -> $HOME_NET any (msg:"ET CURRENT_EVENTS TLS HeartBeat Request (Client Initiated) fb set"; flow:established,to_server; content:"|18 03|"; depth:2; byte_test:1,<,4,2; flowbits:isnotset,ET.HB.Response.CI; flowbits:set,ET.HB.Request.CI; flowbits:noalert; reference:cve,2014-0160; reference:url,blog.inliniac.net/2014/04/08/detecting-openssl-heartbleed-with-suricata/; reference:url,heartbleed.com/; reference:url,blog.fox-it.com/2014/04/08/openssl-heartbleed-bug-live-blog/; classtype:bad-unknown; sid:2018376; rev:4;)
>
> In my case, this usually happens when clients in EXTERNAL_NET try to access HOME_NET via TCP 3389 (RDP).
> These are supposed to be "legitimate" client connections.
>
> Should I assume that the clients are using an outdated openssl-based RDP client?
>
I think the rules we ship with Suricata itself, sids 2230011 to 2230014
[1] are more reliable as they depend on the protocol parser.
Cheers,
Victor
[1]
https://github.com/inliniac/suricata/blob/master/rules/tls-events.rules#L23
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-users
mailing list