Snort mailing list archives
Re: OpenSSL TLS DTSL Heartbleed Bug Sig
From: "Nicholas Mavis (nmavis)" <nmavis () cisco com>
Date: Thu, 10 Apr 2014 14:28:08 +0000
Lionel, As mentioned by Y M, the byte_test you have specified is incorrect. There are also a few other things wrong with the rule, the http_method content match should be removed as it is not relevant. Also, I would note that |18 03 03| only identifies TLSv1.2 and would not apply to TLSv1.1 or TLSv1. Nick From: Y M <snort () outlook com<mailto:snort () outlook com>> Date: Thursday, April 10, 2014 at 4:16 AM To: LIONEL PLAZA <leo240sx () gmail com<mailto:leo240sx () gmail com>> Cc: snort-sigs <snort-sigs () lists sourceforge net<mailto:snort-sigs () lists sourceforge net>> Subject: Re: [Snort-sigs] OpenSSL TLS DTSL Heartbleed Bug Sig Leo, The byte_test does not seem to be complete. Basically, you want to "convert" a number of bytes to "compare" against another "value". This requires two values to compare against and an operator. More info here: http://manual.snort.org/node408.html YM ________________________________ Date: Wed, 9 Apr 2014 22:07:44 -0400 From: leo240sx () gmail com<mailto:leo240sx () gmail com> To: snort-sigs () lists sourceforge net<mailto:snort-sigs () lists sourceforge net> Subject: [Snort-sigs] OpenSSL TLS DTSL Heartbleed Bug Sig Hello Everyone, Here's a first take at the OpenSSL Heartbleed sig. I didn't get a chance to test, due to moving offices and losing access to lab (temporarily). But I figured someone could try it out and refine it. alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "OpenSSL TLS DTLS Heartbleed bug CVE-2014-160"; flow:to_server,established; content:"GET"; nocase; http_method; content:"|18 03 03 00 40 03|"; byte_test:6; reference:"cve,2014-160"; classtype: successful-user; sid:xxx; rev: 1;) Cheers! Leo ------------------------------------------------------------------------------ Put Bad Developers to Shame Dominate Development with Jenkins Continuous Integration Continuously Automate Build, Test & Deployment Start a new project now. Try Jenkins in the cloud. http://p.sf.net/sfu/13600_Cloudbees _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net<mailto:Snort-sigs () lists sourceforge net> https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ Put Bad Developers to Shame Dominate Development with Jenkins Continuous Integration Continuously Automate Build, Test & Deployment Start a new project now. Try Jenkins in the cloud. http://p.sf.net/sfu/13600_Cloudbees
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- OpenSSL TLS DTSL Heartbleed Bug Sig LIONEL PLAZA (Apr 09)
- Re: OpenSSL TLS DTSL Heartbleed Bug Sig Alberto Colosi (Apr 10)
- Re: OpenSSL TLS DTSL Heartbleed Bug Sig Y M (Apr 10)
- Re: OpenSSL TLS DTSL Heartbleed Bug Sig Y M (Apr 10)
- Re: OpenSSL TLS DTSL Heartbleed Bug Sig Nicholas Mavis (nmavis) (Apr 10)
- Re: OpenSSL TLS DTSL Heartbleed Bug Sig Júlio César Melo (Apr 10)
- Re: OpenSSL TLS DTSL Heartbleed Bug Sig Nicholas Bogart (Apr 10)
- Re: OpenSSL TLS DTSL Heartbleed Bug Sig Joel Esler (jesler) (Apr 10)
- Re: OpenSSL TLS DTSL Heartbleed Bug Sig Alberto Colosi (Apr 10)