[Oisf-users] heartbleed
Victor Julien
lists at inliniac.net
Thu Jan 12 09:32:13 UTC 2017
On 12-01-17 08:45, Vieri wrote:
>
> ________________________________
> From: Francis Trudeau <ftrudeau at emergingthreats.net>
>> It's strange that you are seeing hits because this rule has 'flowbits:noalert;' in it.
>>
>> This rule is designed set the flowbits for another rule:
>
>> sid:2018377;
>>
>
>> Does your local ruleset have 'flowbits:noalert;'?
>
>
> Yes.
>
> drop tcp any any -> $HOME_NET any (msg:"ET CURRENT_EVENTS TLS HeartBeat Request (Client Initiated) fb set"; flow:established,to_server; content:"|18 03|"; depth:2; byte_test:1,<,4,2; flowbits:isnotset,ET.HB.Response.CI; flowbits:set,ET.HB.Request.CI; flowbits:noalert; reference:cve,2014-0160; reference:url,blog.inliniac.net/2014/04/08/detecting-openssl-heartbleed-with-suricata/; reference:url,heartbleed.com/; reference:url,blog.fox-it.com/2014/04/08/openssl-heartbleed-bug-live-blog/; classtype:bad-unknown; sid:2018376; rev:4;)
>
>> Are you seeing hits for 2018377?
>
> No.
>
> Note "drop" instead of "alert" for sid 2018376 but "noalert" should behave the same way, ie. should not generate an "alert" or "drop". Is that correct?
No. 'noalert' suppresses the alert output, but not the rule actions. So
it still drops.
Generally you should be very careful with coverting rules to drop when
'noalert' is used.
--
---------------------------------------------
Victor Julien
http://www.inliniac.net/
PGP: http://www.inliniac.net/victorjulien.asc
---------------------------------------------
More information about the Oisf-users
mailing list