[Oisf-users] heartbleed

Francis Trudeau ftrudeau at emergingthreats.net
Wed Jan 11 17:57:49 UTC 2017

It's strange that you are seeing hits because this rule has
'flowbits:noalert;' in it.

This rule is designed set the flowbits for another rule:

alert tcp $HOME_NET any -> any any (msg:"ET CURRENT_EVENTS Possible OpenSSL
HeartBleed Large HeartBeat Response (Client Init Vuln Server)";
flow:established,to_client; content:"|18 03|"; depth:2; byte_test:1,<,4,2;
flowbits:isset,ET.HB.Request.CI; flowbits:isnotset,ET.HB.Response.CI;
flowbits:set,ET.HB.Response.CI; flowbits:unset,ET.HB.Request.CI;
byte_test:2,>,150,3; threshold:type limit,track by_src,count 1,seconds 120;
reference:cve,2014-0160; reference:url,
reference:url,heartbleed.com/; reference:url,
classtype:bad-unknown; sid:2018377; rev:3;)

Does your local ruleset have 'flowbits:noalert;'?  Are you seeing hits
for 2018377?

On Wed, Jan 11, 2017 at 5:34 AM, Vieri <rentorbuy at yahoo.com> wrote:

> Hi,
> I'm having a few hits on the following rule:
> tcp any any -> $HOME_NET any (msg:"ET CURRENT_EVENTS TLS HeartBeat Request
> (Client Initiated) fb set"; flow:established,to_server; content:"|18 03|";
> depth:2; byte_test:1,<,4,2; flowbits:isnotset,ET.HB.Response.CI;
> flowbits:set,ET.HB.Request.CI; flowbits:noalert; reference:cve,2014-0160;
> reference:url,blog.inliniac.net/2014/04/08/detecting-
> openssl-heartbleed-with-suricata/; reference:url,heartbleed.com/;
> reference:url,blog.fox-it.com/2014/04/08/openssl-heartbleed-bug-live-blog/;
> classtype:bad-unknown; sid:2018376; rev:4;)
> In my case, this usually happens when clients in EXTERNAL_NET try to
> access HOME_NET via TCP 3389 (RDP).
> These are supposed to be "legitimate" client connections.
> Should I assume that the clients are using an outdated openssl-based RDP
> client?
> Thanks,
> Vieri
> _______________________________________________
> Suricata IDS Users mailing list: oisf-users at openinfosecfoundation.org
> Site: http://suricata-ids.org | Support: http://suricata-ids.org/support/
> List: https://lists.openinfosecfoundation.org/mailman/listinfo/oisf-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openinfosecfoundation.org/pipermail/oisf-users/attachments/20170111/40109486/attachment-0002.html>

More information about the Oisf-users mailing list