[Snort-users] Heartbleed Rule

Nicholas Bogart nickybzoss at ...11827...
Wed Apr 9 04:43:33 EDT 2014


Boss asked me about creating a rule for the OpenSSL Heartbleed.  I asked
him why not just go update all the servers.  He just stared at me.  So I am
submitting to the community for review and comment the rule I drew up on
this proof-of-concept exploit for the heartbleed vulnerability.

Exploit - https://gist.github.com/takeshixx/10107280
CVE - https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160
Heartbleed References -
http://threatpost.com/seriousness-of-openssl-heartbleed-bug-sets-in/105309
https://threatpost.com/openssl-fixes-tls-vulnerability/105300

alert tcp any any -> $HOME_NET 443 (msg:"Attempted Heartbleed access
exploitation for OpenSSL 1.0.1f and lower"; flow: to_server; content:"| 18
03 02 00 03 01 40 00 |"; reference:cve, CVE-2014-0160;)


NickyB
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140409/9d81b05f/attachment.html>


More information about the Snort-users mailing list