Snort mailing list archives

Re: OpenSSL TLS DTSL Heartbleed Bug Sig

From: Júlio César Melo <julio.melo () tempest com br>
Date: Thu, 10 Apr 2014 12:05:53 -0300

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ----------------------------------------------------------------------

http://vrt-blog.snort.org/2014/04/heartbleed-memory-disclosure-upgrade.html

- ----------------------------------------------------------------------

alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"SERVER-OTHER
OpenSSL SSLv3 heartbeat read overrun attempt";
flow:to_server,established; content:"|18 03 00|"; depth:3; dsize:>40;
detection_filter:track by_src, count 3, seconds 1; metadata:policy
balanced-ips drop, policy security-ips drop, service ssl;
reference:cve,2014-0160; classtype:attempted-recon; sid:30510; rev:2;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"SERVER-OTHER
OpenSSL TLSv1 heartbeat read overrun attempt";
flow:to_server,established; content:"|18 03 01|"; depth:3; dsize:>40;
detection_filter:track by_src, count 3, seconds 1; metadata:policy
balanced-ips drop, policy security-ips drop, service ssl;
reference:cve,2014-0160; classtype:attempted-recon; sid:30511; rev:2;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"SERVER-OTHER
OpenSSL TLSv1.1 heartbeat read overrun attempt";
flow:to_server,established; content:"|18 03 02|"; depth:3; dsize:>40;
detection_filter:track by_src, count 3, seconds 1; metadata:policy
balanced-ips drop, policy security-ips drop, service ssl;
reference:cve,2014-0160; classtype:attempted-recon; sid:30512; rev:2;)

alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"SERVER-OTHER
OpenSSL TLSv1.2 heartbeat read overrun attempt";
flow:to_server,established; content:"|18 03 03|"; depth:3; dsize:>40;
detection_filter:track by_src, count 3, seconds 1; metadata:policy
balanced-ips drop, policy security-ips drop, service ssl;
reference:cve,2014-0160; classtype:attempted-recon; sid:30513; rev:2;)

alert tcp $HOME_NET 443 -> $EXTERNAL_NET any (msg:"SERVER-OTHER SSLv3
large heartbeat response - possible ssl heartbleed attempt";
flow:to_client,established; content:"|18 03 00|"; depth:3;
byte_test:2,>,128,0,relative; detection_filter:track by_dst, count 5,
seconds 60; metadata:policy balanced-ips drop, policy security-ips
drop, service ssl; reference:cve,2014-0160; classtype:attempted-recon;
sid:30514; rev:3;)

alert tcp $HOME_NET 443 -> $EXTERNAL_NET any (msg:"SERVER-OTHER TLSv1
large heartbeat response - possible ssl heartbleed attempt";
flow:to_client,established; content:"|18 03 01|"; depth:3;
byte_test:2,>,128,0,relative; detection_filter:track by_dst, count 5,
seconds 60; metadata:policy balanced-ips drop, policy security-ips
drop, service ssl; reference:cve,2014-0160; classtype:attempted-recon;
sid:30515; rev:3;)

alert tcp $HOME_NET 443 -> $EXTERNAL_NET any (msg:"SERVER-OTHER
TLSv1.1 large heartbeat response - possible ssl heartbleed attempt";
flow:to_client,established; content:"|18 03 02|"; depth:3;
byte_test:2,>,128,0,relative; detection_filter:track by_dst, count 5,
seconds 60; metadata:policy balanced-ips drop, policy security-ips
drop, service ssl; reference:cve,2014-0160; classtype:attempted-recon;
sid:30516; rev:3;)

alert tcp $HOME_NET 443 -> $EXTERNAL_NET any (msg:"SERVER-OTHER
TLSv1.2 large heartbeat response - possible ssl heartbleed attempt";
flow:to_client,established; content:"|18 03 03|"; depth:3;
byte_test:2,>,128,0,relative; detection_filter:track by_dst, count 5,
seconds 60; metadata:policy balanced-ips drop, policy security-ips
drop, service ssl; reference:cve,2014-0160; classtype:attempted-recon;
sid:30517; rev:3;)

- ----------------------------------------------------------------------

Julio
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJTRrNRAAoJEOkHWwBhp+nk5JIP/2DthS3U1qtjYHA5dURL0sPB
a0vjkAbVNqdE6AhNGtiUEL94RuI7GBPsGJc3OJDH3HD7ckrLubdfiBafbI1MqqTy
qqQvX3+fQn1bDml2mRZU5WaVFKUQhUGbphhnXyzPgtIKQg6kCmsnlvRRYy+y9uZR
O7glezYekSuRDe1GvlgCwrKV0K9j6fedyrlDzoRcFi+nw+Hiqs9D5tvSlEvx6Wys
wHCCO9Sz8zqqXc1aQTYvId12cSutwXTUAGymRouysoMkmbBAnx+4MVDdXTFIkemz
j/XHLnnxqNzUfAJdnQzAqPQvYD5sMdtBPCNRI+6jHKoyvR+NAkoV7epqeFNyHHT6
0NMlXwt0DvPhRHafq4NF4wGngTYMXuUUoBw+njLzJgAxx1MpUa12dy1bg2hBBvUP
nkjK+vkzRhfcj8xoUA0TFLpmDqfQGS3kugdMGY0W0FAStduJ3I/3z6mY3e4l1+w3
l8ep4vTaRea7PbjtNrdHghCpB8I23mcthQQIL6WpP3w8JSbAF/PB8ckvajhcAzRw
KyyuurEHOI7/G8K8wMvchavSiNWM+9GJ/a7dAh0DLJ8QEQuUyEOqRv+heIi9T8Av
X+2Xv1E6lto9Cd9twvgAdnLMueEDah2CbpvqjHsQ+0ZOYt2tEOpxqd1dGrpuqauW
i7RktGzz11d+wTS2XfMW
=DrmU
-----END PGP SIGNATURE-----

------------------------------------------------------------------------------
Put Bad Developers to Shame
Dominate Development with Jenkins Continuous Integration
Continuously Automate Build, Test & Deployment 
Start a new project now. Try Jenkins in the cloud.
http://p.sf.net/sfu/13600_Cloudbees
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!

Current thread:

OpenSSL TLS DTSL Heartbleed Bug Sig LIONEL PLAZA (Apr 09)
- Re: OpenSSL TLS DTSL Heartbleed Bug Sig Alberto Colosi (Apr 10)
  - Re: OpenSSL TLS DTSL Heartbleed Bug Sig Y M (Apr 10)
- Re: OpenSSL TLS DTSL Heartbleed Bug Sig Y M (Apr 10)
  - Re: OpenSSL TLS DTSL Heartbleed Bug Sig Nicholas Mavis (nmavis) (Apr 10)
- Re: OpenSSL TLS DTSL Heartbleed Bug Sig Júlio César Melo (Apr 10)
- Re: OpenSSL TLS DTSL Heartbleed Bug Sig Nicholas Bogart (Apr 10)
  - Re: OpenSSL TLS DTSL Heartbleed Bug Sig Joel Esler (jesler) (Apr 10)