Snort mailing list archives
Re: OpenSSL TLS DTSL Heartbleed Bug Sig
From: Júlio César Melo <julio.melo () tempest com br>
Date: Thu, 10 Apr 2014 12:05:53 -0300
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ---------------------------------------------------------------------- http://vrt-blog.snort.org/2014/04/heartbleed-memory-disclosure-upgrade.html - ---------------------------------------------------------------------- alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"SERVER-OTHER OpenSSL SSLv3 heartbeat read overrun attempt"; flow:to_server,established; content:"|18 03 00|"; depth:3; dsize:>40; detection_filter:track by_src, count 3, seconds 1; metadata:policy balanced-ips drop, policy security-ips drop, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30510; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"SERVER-OTHER OpenSSL TLSv1 heartbeat read overrun attempt"; flow:to_server,established; content:"|18 03 01|"; depth:3; dsize:>40; detection_filter:track by_src, count 3, seconds 1; metadata:policy balanced-ips drop, policy security-ips drop, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30511; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt"; flow:to_server,established; content:"|18 03 02|"; depth:3; dsize:>40; detection_filter:track by_src, count 3, seconds 1; metadata:policy balanced-ips drop, policy security-ips drop, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30512; rev:2;) alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"SERVER-OTHER OpenSSL TLSv1.2 heartbeat read overrun attempt"; flow:to_server,established; content:"|18 03 03|"; depth:3; dsize:>40; detection_filter:track by_src, count 3, seconds 1; metadata:policy balanced-ips drop, policy security-ips drop, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30513; rev:2;) alert tcp $HOME_NET 443 -> $EXTERNAL_NET any (msg:"SERVER-OTHER SSLv3 large heartbeat response - possible ssl heartbleed attempt"; flow:to_client,established; content:"|18 03 00|"; depth:3; byte_test:2,>,128,0,relative; detection_filter:track by_dst, count 5, seconds 60; metadata:policy balanced-ips drop, policy security-ips drop, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30514; rev:3;) alert tcp $HOME_NET 443 -> $EXTERNAL_NET any (msg:"SERVER-OTHER TLSv1 large heartbeat response - possible ssl heartbleed attempt"; flow:to_client,established; content:"|18 03 01|"; depth:3; byte_test:2,>,128,0,relative; detection_filter:track by_dst, count 5, seconds 60; metadata:policy balanced-ips drop, policy security-ips drop, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30515; rev:3;) alert tcp $HOME_NET 443 -> $EXTERNAL_NET any (msg:"SERVER-OTHER TLSv1.1 large heartbeat response - possible ssl heartbleed attempt"; flow:to_client,established; content:"|18 03 02|"; depth:3; byte_test:2,>,128,0,relative; detection_filter:track by_dst, count 5, seconds 60; metadata:policy balanced-ips drop, policy security-ips drop, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30516; rev:3;) alert tcp $HOME_NET 443 -> $EXTERNAL_NET any (msg:"SERVER-OTHER TLSv1.2 large heartbeat response - possible ssl heartbleed attempt"; flow:to_client,established; content:"|18 03 03|"; depth:3; byte_test:2,>,128,0,relative; detection_filter:track by_dst, count 5, seconds 60; metadata:policy balanced-ips drop, policy security-ips drop, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30517; rev:3;) - ---------------------------------------------------------------------- Julio -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.22 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJTRrNRAAoJEOkHWwBhp+nk5JIP/2DthS3U1qtjYHA5dURL0sPB a0vjkAbVNqdE6AhNGtiUEL94RuI7GBPsGJc3OJDH3HD7ckrLubdfiBafbI1MqqTy qqQvX3+fQn1bDml2mRZU5WaVFKUQhUGbphhnXyzPgtIKQg6kCmsnlvRRYy+y9uZR O7glezYekSuRDe1GvlgCwrKV0K9j6fedyrlDzoRcFi+nw+Hiqs9D5tvSlEvx6Wys wHCCO9Sz8zqqXc1aQTYvId12cSutwXTUAGymRouysoMkmbBAnx+4MVDdXTFIkemz j/XHLnnxqNzUfAJdnQzAqPQvYD5sMdtBPCNRI+6jHKoyvR+NAkoV7epqeFNyHHT6 0NMlXwt0DvPhRHafq4NF4wGngTYMXuUUoBw+njLzJgAxx1MpUa12dy1bg2hBBvUP nkjK+vkzRhfcj8xoUA0TFLpmDqfQGS3kugdMGY0W0FAStduJ3I/3z6mY3e4l1+w3 l8ep4vTaRea7PbjtNrdHghCpB8I23mcthQQIL6WpP3w8JSbAF/PB8ckvajhcAzRw KyyuurEHOI7/G8K8wMvchavSiNWM+9GJ/a7dAh0DLJ8QEQuUyEOqRv+heIi9T8Av X+2Xv1E6lto9Cd9twvgAdnLMueEDah2CbpvqjHsQ+0ZOYt2tEOpxqd1dGrpuqauW i7RktGzz11d+wTS2XfMW =DrmU -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ Put Bad Developers to Shame Dominate Development with Jenkins Continuous Integration Continuously Automate Build, Test & Deployment Start a new project now. Try Jenkins in the cloud. http://p.sf.net/sfu/13600_Cloudbees _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- OpenSSL TLS DTSL Heartbleed Bug Sig LIONEL PLAZA (Apr 09)
- Re: OpenSSL TLS DTSL Heartbleed Bug Sig Alberto Colosi (Apr 10)
- Re: OpenSSL TLS DTSL Heartbleed Bug Sig Y M (Apr 10)
- Re: OpenSSL TLS DTSL Heartbleed Bug Sig Y M (Apr 10)
- Re: OpenSSL TLS DTSL Heartbleed Bug Sig Nicholas Mavis (nmavis) (Apr 10)
- Re: OpenSSL TLS DTSL Heartbleed Bug Sig Júlio César Melo (Apr 10)
- Re: OpenSSL TLS DTSL Heartbleed Bug Sig Nicholas Bogart (Apr 10)
- Re: OpenSSL TLS DTSL Heartbleed Bug Sig Joel Esler (jesler) (Apr 10)
- Re: OpenSSL TLS DTSL Heartbleed Bug Sig Alberto Colosi (Apr 10)