Snort mailing list archives
Re: Heartbleed Rule
From: "Joel Esler (jesler)" <jesler () cisco com>
Date: Thu, 10 Apr 2014 23:20:43 +0000
Not all of them are. We have rules for both directions. On Apr 10, 2014, at 6:39 PM, Jefferson, Shawn <Shawn.Jefferson () bcferries com<mailto:Shawn.Jefferson () bcferries com>> wrote: Any reason these rules are $EXTERNAL_NET -> $HOME_NET ? Lot’s of false positives otherwise, performance, or something else? I was hoping to use them to detect potential internal network heartbleed attacks, but would have to re-write them to do that (never ideal). Thanks Shawn From: Joel Esler (jesler) [mailto:jesler () cisco com] Sent: April 09, 2014 3:55 AM To: Nicholas Bogart Cc: snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net> Subject: Re: [Snort-users] Heartbleed Rule Nick, Might want to review the latest post on http://vrt-blog.snort.org<http://vrt-blog.snort.org/>. -- Joel Esler Sent from my iPhone On Apr 9, 2014, at 4:46, "Nicholas Bogart" <nickybzoss () gmail com<mailto:nickybzoss () gmail com>> wrote: Boss asked me about creating a rule for the OpenSSL Heartbleed. I asked him why not just go update all the servers. He just stared at me. So I am submitting to the community for review and comment the rule I drew up on this proof-of-concept exploit for the heartbleed vulnerability. Exploit - https://gist.github.com/takeshixx/10107280 CVE - https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160 Heartbleed References - http://threatpost.com/seriousness-of-openssl-heartbleed-bug-sets-in/105309 https://threatpost.com/openssl-fixes-tls-vulnerability/105300 alert tcp any any -> $HOME_NET 443 (msg:"Attempted Heartbleed access exploitation for OpenSSL 1.0.1f and lower"; flow: to_server; content:"| 18 03 02 00 03 01 40 00 |"; reference:cve, CVE-2014-0160;) NickyB ------------------------------------------------------------------------------ Put Bad Developers to Shame Dominate Development with Jenkins Continuous Integration Continuously Automate Build, Test & Deployment Start a new project now. Try Jenkins in the cloud. http://p.sf.net/sfu/13600_Cloudbees _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org<http://blog.snort.org/> to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Put Bad Developers to Shame Dominate Development with Jenkins Continuous Integration Continuously Automate Build, Test & Deployment Start a new project now. Try Jenkins in the cloud. http://p.sf.net/sfu/13600_Cloudbees
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Heartbleed Rule Nicholas Bogart (Apr 09)
- Re: Heartbleed Rule Joel Esler (jesler) (Apr 09)
- Re: Heartbleed Rule Nicholas Bogart (Apr 09)
- Re: Heartbleed Rule Jefferson, Shawn (Apr 10)
- Re: Heartbleed Rule Joel Esler (jesler) (Apr 10)
- Re: Heartbleed Rule JJC (Apr 10)
- Re: Heartbleed Rule Jefferson, Shawn (Apr 11)
- Re: Heartbleed Rule Joel Esler (jesler) (Apr 09)