Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

[Snort-users] Heartbleed Rule

231 views
Skip to first unread message

Nicholas Bogart

unread,
Apr 9, 2014, 4:43:33 AM4/9/14
to
Boss asked me about creating a rule for the OpenSSL Heartbleed.  I asked him why not just go update all the servers.  He just stared at me.  So I am submitting to the community for review and comment the rule I drew up on this proof-of-concept exploit for the heartbleed vulnerability.

Exploit - https://gist.github.com/takeshixx/10107280
CVE - https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160
Heartbleed References -
http://threatpost.com/seriousness-of-openssl-heartbleed-bug-sets-in/105309
https://threatpost.com/openssl-fixes-tls-vulnerability/105300

alert tcp any any -> $HOME_NET 443 (msg:"Attempted Heartbleed access exploitation for OpenSSL 1.0.1f and lower"; flow: to_server; content:"| 18 03 02 00 03 01 40 00 |"; reference:cve, CVE-2014-0160;)


NickyB

Nicholas Bogart

unread,
Apr 9, 2014, 7:08:35 AM4/9/14
to
Awesome thanks... I tried searching through all my emails for the list to see if this was done.  Glad to see I was on the right track.  Will let the boss know.



Nick


On Wed, Apr 9, 2014 at 1:55 PM, Joel Esler (jesler) <jes...@cisco.com> wrote:
Nick,

Might want to review the latest post on http://vrt-blog.snort.org

--
Joel Esler
Sent from my iPhone
------------------------------------------------------------------------------
Put Bad Developers to Shame
Dominate Development with Jenkins Continuous Integration
Continuously Automate Build, Test & Deployment
Start a new project now. Try Jenkins in the cloud.
http://p.sf.net/sfu/13600_Cloudbees
_______________________________________________
Snort-users mailing list
Snort...@lists.sourceforge.net
Go to this URL to change user options or unsubscribe:
https://lists.sourceforge.net/lists/listinfo/snort-users
Snort-users list archive:
http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users

Please visit http://blog.snort.org to stay current on all the latest Snort news!

Jefferson, Shawn

unread,
Apr 10, 2014, 6:39:14 PM4/10/14
to

Any reason these rules are $EXTERNAL_NET -> $HOME_NET ?  Lot’s of false positives otherwise, performance, or something else? 

 

I was hoping to use them to detect potential internal network heartbleed attacks, but would have to re-write them to do that (never ideal).

 

Thanks

Shawn

Joel Esler (jesler)

unread,
Apr 10, 2014, 7:20:43 PM4/10/14
to
Not all of them are.  We have rules for both directions.

JJC

unread,
Apr 10, 2014, 8:09:26 PM4/10/14
to
Beyond what Joel just responded with, if you are looking for internal-internal attacks often you will want your $EXTERNAL_NET variable defined as 'any'.  This would then make the rule direction that you noted effective even for inside -> inside traffic inspection.

JJC

Jefferson, Shawn

unread,
Apr 11, 2014, 3:54:40 PM4/11/14
to

Thanks everyone!  Makes sense….

0 new messages