Re: Suspicious hacker activity detected?

[Y M <snort () outlook com>]

Open source, available in the community ruleset.
 
YM
 
Date: Mon, 14 Apr 2014 11:19:57 -0400
From: mike.a.brown09 () gmail com
To: nmavis () cisco com
CC: snort-users () lists sourceforge net
Subject: Re: [Snort-users] Suspicious hacker activity detected?

Are the heartbleed snort signatures open source or they only for VRT subscribers? 
---
Thank you, 

Michael A. Brown
mike.a.brown09 () gmail com

(757) 912-0836 
M.S. Forensic Studies: Computer Forensics
B.S. Information Technology: Network Specialist

"The only thing necessary for the triumph of evil is for good men to do nothing" -Edmund Burke



On Mon, Apr 14, 2014 at 11:13 AM, Nicholas Mavis (nmavis) <nmavis () cisco com> wrote:






Yes, this is a sign and it also looks like you are vulnerable.



Nick






From: Teo En Ming <teo.en.ming () gmail com>

Date: Monday, April 14, 2014 at 11:06 AM

To: Snort Users <snort-users () lists sourceforge net>

Subject: [Snort-users] Suspicious hacker activity detected?










Hi,




My HTTPS web server, POP3S and IMAPS ports were probed for the OpenSSL heartbleed vulnerability without my knowledge 
and authorization. Is it a sign of hacker activity? Please look at the Snort alerts below.



[root@localhost snort]# grep heartbeat snort.fast | grep -v 161.69.31.4

04/14-04:34:45.168194  [**] [1:30516:6] SERVER-OTHER TLSv1.1 large heartbeat response - possible ssl heartbleed attempt 
[**] [Classification: Attempted Information Leak] [Priority: 2] {TCP}
192.168.1.146:443 -> 
185.35.61.19:41201

04/14-09:31:58.763823  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt [**] 
[Classification: Attempted Information Leak] [Priority: 2] {TCP}
183.60.243.189:46524 -> 
192.168.1.147:993

04/14-09:31:58.764609  [**] [1:30516:6] SERVER-OTHER TLSv1.1 large heartbeat response - possible ssl heartbleed attempt 
[**] [Classification: Attempted Information Leak] [Priority: 2] {TCP}
192.168.1.147:993 -> 
183.60.243.189:46524

04/14-09:31:59.025988  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt [**] 
[Classification: Attempted Information Leak] [Priority: 2] {TCP}
183.60.243.189:46524 -> 
192.168.1.147:993

04/14-09:36:47.578766  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt [**] 
[Classification: Attempted Information Leak] [Priority: 2] {TCP}
183.60.244.46:55346 -> 
192.168.1.147:995

04/14-09:36:47.579841  [**] [1:30516:6] SERVER-OTHER TLSv1.1 large heartbeat response - possible ssl heartbleed attempt 
[**] [Classification: Attempted Information Leak] [Priority: 2] {TCP}
192.168.1.147:995 -> 
183.60.244.46:55346

04/14-09:36:47.775693  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt [**] 
[Classification: Attempted Information Leak] [Priority: 2] {TCP}
183.60.244.46:55346 -> 
192.168.1.147:995

04/14-09:36:47.775693  [**] [1:30512:5] SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt [**] 
[Classification: Attempted Information Leak] [Priority: 2] {TCP}
183.60.244.46:55346 -> 
192.168.1.147:995

04/14-10:13:25.031989  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt [**] 
[Classification: Attempted Information Leak] [Priority: 2] {TCP}
101.226.19.76:31223 -> 
192.168.1.146:443

04/14-10:13:25.032841  [**] [1:30516:6] SERVER-OTHER TLSv1.1 large heartbeat response - possible ssl heartbleed attempt 
[**] [Classification: Attempted Information Leak] [Priority: 2] {TCP}
192.168.1.146:443 -> 
101.226.19.76:31223

04/14-10:13:25.262897  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt [**] 
[Classification: Attempted Information Leak] [Priority: 2] {TCP}
101.226.19.76:31223 -> 
192.168.1.146:443

04/14-10:13:25.262897  [**] [1:30512:5] SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt [**] 
[Classification: Attempted Information Leak] [Priority: 2] {TCP}
101.226.19.76:31223 -> 
192.168.1.146:443

04/14-11:51:26.034725  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt [**] 
[Classification: Attempted Information Leak] [Priority: 2] {TCP}
180.153.198.190:25521 -> 
192.168.1.147:993

04/14-11:51:26.035167  [**] [1:30516:6] SERVER-OTHER TLSv1.1 large heartbeat response - possible ssl heartbleed attempt 
[**] [Classification: Attempted Information Leak] [Priority: 2] {TCP}
192.168.1.147:993 -> 
180.153.198.190:25521

04/14-11:51:26.232356  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt [**] 
[Classification: Attempted Information Leak] [Priority: 2] {TCP}
180.153.198.190:25521 -> 
192.168.1.147:993

04/14-11:51:26.232356  [**] [1:30512:5] SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt [**] 
[Classification: Attempted Information Leak] [Priority: 2] {TCP}
180.153.198.190:25521 -> 
192.168.1.147:993

04/14-12:01:46.374268  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt [**] 
[Classification: Attempted Information Leak] [Priority: 2] {TCP}
180.153.198.219:50214 -> 
192.168.1.147:995

04/14-12:01:46.375062  [**] [1:30516:6] SERVER-OTHER TLSv1.1 large heartbeat response - possible ssl heartbleed attempt 
[**] [Classification: Attempted Information Leak] [Priority: 2] {TCP}
192.168.1.147:995 -> 
180.153.198.219:50214

04/14-12:01:46.597640  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt [**] 
[Classification: Attempted Information Leak] [Priority: 2] {TCP}
180.153.198.219:50214 -> 
192.168.1.147:995

04/14-12:01:46.597640  [**] [1:30512:5] SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt [**] 
[Classification: Attempted Information Leak] [Priority: 2] {TCP}
180.153.198.219:50214 -> 
192.168.1.147:995




Yours sincerely,




Teo En Ming








------------------------------------------------------------------------------

Learn Graph Databases - Download FREE O'Reilly Book

"Graph Databases" is the definitive new guide to graph databases and their

applications. Written by three acclaimed leaders in the field,

this first edition is now available. Download your free book today!

http://p.sf.net/sfu/NeoTech
_______________________________________________

Snort-users mailing list

Snort-users () lists sourceforge net

Go to this URL to change user options or unsubscribe:

https://lists.sourceforge.net/lists/listinfo/snort-users

Snort-users list archive:

http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users



Please visit http://blog.snort.org to stay current on all the latest Snort news!



------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/NeoTech
_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!                                        

------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/NeoTech

_______________________________________________
Snort-users mailing list
Snort-users () lists sourceforge net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!