[Oisf-users] heartbleed

Vieri rentorbuy at yahoo.com
Thu Jan 12 14:11:32 UTC 2017 

________________________________
From: Victor Julien <lists at inliniac.net>
>
> No. 'noalert' suppresses the alert output, but not the rule actions. So
> it still drops.
> 
> Generally you should be very careful with coverting rules to drop when
> 'noalert' is used.


Sorry for the dumb question, but I'd like to clear this out.

>From a practical point of view I take it that I should NOT change the rule action to "drop" when there's "noalert". 

So if I update my emerging threats rules with oinkmaster then I guess I should use something like this, right?

modifysid * "^alert (?!.*noalert;)(.*classtype\s*:\s*bad-unknown)" | "drop ${1}"


After an update I have:
# egrep '2018376|2018377' /etc/suricata/rules/*.rules
/etc/suricata/rules/emerging-current_events.rules:alert tcp any any -> $HOME_NET any (msg:"ET CURRENT_EVENTS TLS HeartBeat Request (Client Initiated) fb set"; flow:established,to_server; content:"|18 03|"; depth:2; byte_test:1,<,4,2; flowbits:isnotset,ET.HB.Response.CI; flowbits:set,ET.HB.Request.CI; flowbits:noalert; reference:cve,2014-0160; reference:url,blog.inliniac.net/2014/04/08/detecting-openssl-heartbleed-with-suricata/; reference:url,heartbleed.com/; reference:url,blog.fox-it.com/2014/04/08/openssl-heartbleed-bug-live-blog/; classtype:bad-unknown; sid:2018376; rev:4;)
/etc/suricata/rules/emerging-current_events.rules:drop tcp $HOME_NET any -> any any (msg:"ET CURRENT_EVENTS Possible OpenSSL HeartBleed Large HeartBeat Response (Client Init Vuln Server)"; flow:established,to_client; content:"|18 03|"; depth:2; byte_test:1,<,4,2; flowbits:isset,ET.HB.Request.CI; flowbits:isnotset,ET.HB.Response.CI; flowbits:set,ET.HB.Response.CI; flowbits:unset,ET.HB.Request.CI; byte_test:2,>,150,3; threshold:type limit,track by_src,count 1,seconds 120; reference:cve,2014-0160; reference:url,blog.inliniac.net/2014/04/08/detecting-openssl-heartbleed-with-suricata/; reference:url,heartbleed.com/; reference:url,blog.fox-it.com/2014/04/08/openssl-heartbleed-bug-live-blog/; classtype:bad-unknown; sid:2018377; rev:3;)

More information about the Oisf-users mailing list