[Snort-users] Heartbleed Rule

Joel Esler (jesler) jesler at ...589...
Thu Apr 10 19:20:43 EDT 2014

Not all of them are.  We have rules for both directions.

On Apr 10, 2014, at 6:39 PM, Jefferson, Shawn <Shawn.Jefferson at ...14448...<mailto:Shawn.Jefferson at ...14448...>> wrote:

Any reason these rules are $EXTERNAL_NET -> $HOME_NET ?  Lot’s of false positives otherwise, performance, or something else?

I was hoping to use them to detect potential internal network heartbleed attacks, but would have to re-write them to do that (never ideal).


From: Joel Esler (jesler) [mailto:jesler at ...589...]
Sent: April 09, 2014 3:55 AM
To: Nicholas Bogart
Cc: snort-users at lists.sourceforge.net<mailto:snort-users at ...3783...net>
Subject: Re: [Snort-users] Heartbleed Rule


Might want to review the latest post on http://vrt-blog.snort.org<http://vrt-blog.snort.org/>.

Joel Esler
Sent from my iPhone

On Apr 9, 2014, at 4:46, "Nicholas Bogart" <nickybzoss at ...11827...<mailto:nickybzoss at ...11827...>> wrote:
Boss asked me about creating a rule for the OpenSSL Heartbleed.  I asked him why not just go update all the servers.  He just stared at me.  So I am submitting to the community for review and comment the rule I drew up on this proof-of-concept exploit for the heartbleed vulnerability.
Exploit - https://gist.github.com/takeshixx/10107280
CVE - https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160
Heartbleed References -
alert tcp any any -> $HOME_NET 443 (msg:"Attempted Heartbleed access exploitation for OpenSSL 1.0.1f and lower"; flow: to_server; content:"| 18 03 02 00 03 01 40 00 |"; reference:cve, CVE-2014-0160;)

Put Bad Developers to Shame
Dominate Development with Jenkins Continuous Integration
Continuously Automate Build, Test & Deployment
Start a new project now. Try Jenkins in the cloud.
Snort-users mailing list
Snort-users at lists.sourceforge.net<mailto:Snort-users at lists.sourceforge.net>
Go to this URL to change user options or unsubscribe:
Snort-users list archive:

Please visit http://blog.snort.org<http://blog.snort.org/> to stay current on all the latest Snort news!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140410/d45db0d3/attachment.html>

More information about the Snort-users mailing list