Re: OpenSSL TLS DTSL Heartbleed Bug Sig

[Nicholas Bogart <nickybzoss () gmail com>]

I had just about the same one that I posted yesterday.  Joel referenced me
to the latest on the VRT Blog http://vrt-blog.snort.org/ which has several
rules covering it in the latest updates.


On Thu, Apr 10, 2014 at 5:07 AM, LIONEL PLAZA <leo240sx () gmail com> wrote:

> Hello Everyone,
>
> Here's a first take at the OpenSSL Heartbleed sig.  I didn't get a chance
> to test, due to moving offices and losing access to lab (temporarily).  But
> I figured someone could try it out and refine it.
>
> alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "OpenSSL TLS
> DTLS Heartbleed bug CVE-2014-160"; flow:to_server,established;
> content:"GET"; nocase; http_method; content:"|18 03 03 00 40 03|";
> byte_test:6; reference:"cve,2014-160"; classtype: successful-user; sid:xxx;
> rev: 1;)
>
> Cheers!
> Leo
>
>
> ------------------------------------------------------------------------------
> Put Bad Developers to Shame
> Dominate Development with Jenkins Continuous Integration
> Continuously Automate Build, Test & Deployment
> Start a new project now. Try Jenkins in the cloud.
> http://p.sf.net/sfu/13600_Cloudbees
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs () lists sourceforge net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------
Put Bad Developers to Shame
Dominate Development with Jenkins Continuous Integration
Continuously Automate Build, Test & Deployment 
Start a new project now. Try Jenkins in the cloud.
http://p.sf.net/sfu/13600_Cloudbees

_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!