Re: CVE-2014-0160 mitigation using iptables

[shawn wilson <ag4ve.us () gmail com>]

On Thu, Apr 10, 2014 at 9:52 AM,  <Valdis.Kletnieks () vt edu> wrote:
> On Wed, 09 Apr 2014 11:07:36 +0100, Fabien Bourdaire said:
>
> > # Log rules
> > iptables -t filter -A INPUT  -p tcp --dport 443  -m u32 --u32 \
> > "52=0x18030000:0x1803FFFF" -j LOG --log-prefix "BLOCKED: HEARTBEAT"
>
> That 52= isn't going to work if it's an IPv4 packet with an unexpected
> number IP or TCP options, or an IPv6 connection....

IPv6 wasn't mentioned here (that'd be ip6tables). But yeah, there
might be some other shortcomings with the match. I think it's the
right way to go - it just needs a bit of work (maybe a bm string
match?). You're also going to deal with different versions (see
ssl-heartbleed.nse for the breakdown). Though, I wonder if there are
any other variations you might miss...