Snort mailing list archives
Re: OpenSSL TLS DTSL Heartbleed Bug Sig
From: Y M <snort () outlook com>
Date: Thu, 10 Apr 2014 08:16:58 +0000
Leo, The byte_test does not seem to be complete. Basically, you want to "convert" a number of bytes to "compare" against another "value". This requires two values to compare against and an operator. More info here: http://manual.snort.org/node408.html YM Date: Wed, 9 Apr 2014 22:07:44 -0400 From: leo240sx () gmail com To: snort-sigs () lists sourceforge net Subject: [Snort-sigs] OpenSSL TLS DTSL Heartbleed Bug Sig Hello Everyone, Here's a first take at the OpenSSL Heartbleed sig. I didn't get a chance to test, due to moving offices and losing access to lab (temporarily). But I figured someone could try it out and refine it. alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "OpenSSL TLS DTLS Heartbleed bug CVE-2014-160"; flow:to_server,established; content:"GET"; nocase; http_method; content:"|18 03 03 00 40 03|"; byte_test:6; reference:"cve,2014-160"; classtype: successful-user; sid:xxx; rev: 1;) Cheers! Leo ------------------------------------------------------------------------------ Put Bad Developers to Shame Dominate Development with Jenkins Continuous Integration Continuously Automate Build, Test & Deployment Start a new project now. Try Jenkins in the cloud. http://p.sf.net/sfu/13600_Cloudbees _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ Put Bad Developers to Shame Dominate Development with Jenkins Continuous Integration Continuously Automate Build, Test & Deployment Start a new project now. Try Jenkins in the cloud. http://p.sf.net/sfu/13600_Cloudbees
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- OpenSSL TLS DTSL Heartbleed Bug Sig LIONEL PLAZA (Apr 09)
- Re: OpenSSL TLS DTSL Heartbleed Bug Sig Alberto Colosi (Apr 10)
- Re: OpenSSL TLS DTSL Heartbleed Bug Sig Y M (Apr 10)
- Re: OpenSSL TLS DTSL Heartbleed Bug Sig Y M (Apr 10)
- Re: OpenSSL TLS DTSL Heartbleed Bug Sig Nicholas Mavis (nmavis) (Apr 10)
- Re: OpenSSL TLS DTSL Heartbleed Bug Sig Júlio César Melo (Apr 10)
- Re: OpenSSL TLS DTSL Heartbleed Bug Sig Nicholas Bogart (Apr 10)
- Re: OpenSSL TLS DTSL Heartbleed Bug Sig Joel Esler (jesler) (Apr 10)
- Re: OpenSSL TLS DTSL Heartbleed Bug Sig Alberto Colosi (Apr 10)