[Oisf-users] heartbleed

Vieri rentorbuy at yahoo.com
Thu Jan 12 07:45:59 UTC 2017

From: Francis Trudeau <ftrudeau at emergingthreats.net>
> It's strange that you are seeing hits because this rule has 'flowbits:noalert;' in it.
> This rule is designed set the flowbits for another rule:

> sid:2018377;

> Does your local ruleset have 'flowbits:noalert;'?  


drop tcp any any -> $HOME_NET any (msg:"ET CURRENT_EVENTS TLS HeartBeat Request (Client Initiated) fb set"; flow:established,to_server; content:"|18 03|"; depth:2; byte_test:1,<,4,2; flowbits:isnotset,ET.HB.Response.CI; flowbits:set,ET.HB.Request.CI; flowbits:noalert; reference:cve,2014-0160; reference:url,blog.inliniac.net/2014/04/08/detecting-openssl-heartbleed-with-suricata/; reference:url,heartbleed.com/; reference:url,blog.fox-it.com/2014/04/08/openssl-heartbleed-bug-live-blog/; classtype:bad-unknown; sid:2018376; rev:4;)

> Are you seeing hits for 2018377?


Note "drop" instead of "alert" for sid 2018376 but "noalert" should behave the same way, ie. should not generate an "alert" or "drop". Is that correct?


More information about the Oisf-users mailing list