[Snort-users] Heartbleed Rule

JJC cummingsj at ...11827...
Thu Apr 10 20:09:26 EDT 2014


Beyond what Joel just responded with, if you are looking for
internal-internal attacks often you will want your $EXTERNAL_NET variable
defined as 'any'.  This would then make the rule direction that you noted
effective even for inside -> inside traffic inspection.

JJC


On Thu, Apr 10, 2014 at 4:39 PM, Jefferson, Shawn <
Shawn.Jefferson at ...14448...> wrote:

> Any reason these rules are $EXTERNAL_NET -> $HOME_NET ?  Lot's of false
> positives otherwise, performance, or something else?
>
>
>
> I was hoping to use them to detect potential internal network heartbleed
> attacks, but would have to re-write them to do that (never ideal).
>
>
>
> Thanks
>
> Shawn
>
>
>
> *From:* Joel Esler (jesler) [mailto:jesler at ...589...]
> *Sent:* April 09, 2014 3:55 AM
> *To:* Nicholas Bogart
> *Cc:* snort-users at lists.sourceforge.net
> *Subject:* Re: [Snort-users] Heartbleed Rule
>
>
>
> Nick,
>
>
>
> Might want to review the latest post on http://vrt-blog.snort.org.
>
> --
>
> Joel Esler
>
> Sent from my iPhone
>
>
> On Apr 9, 2014, at 4:46, "Nicholas Bogart" <nickybzoss at ...11827...> wrote:
>
> Boss asked me about creating a rule for the OpenSSL Heartbleed.  I asked
> him why not just go update all the servers.  He just stared at me.  So I am
> submitting to the community for review and comment the rule I drew up on
> this proof-of-concept exploit for the heartbleed vulnerability.
>
> Exploit - https://gist.github.com/takeshixx/10107280
>
> CVE - https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160
>
> Heartbleed References -
> http://threatpost.com/seriousness-of-openssl-heartbleed-bug-sets-in/105309
> https://threatpost.com/openssl-fixes-tls-vulnerability/105300
>
> alert tcp any any -> $HOME_NET 443 (msg:"Attempted Heartbleed access
> exploitation for OpenSSL 1.0.1f and lower"; flow: to_server; content:"| 18
> 03 02 00 03 01 40 00 |"; reference:cve, CVE-2014-0160;)
>
> NickyB
>
>
> ------------------------------------------------------------------------------
> Put Bad Developers to Shame
> Dominate Development with Jenkins Continuous Integration
> Continuously Automate Build, Test & Deployment
> Start a new project now. Try Jenkins in the cloud.
> http://p.sf.net/sfu/13600_Cloudbees
>
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
>
>
> ------------------------------------------------------------------------------
> Put Bad Developers to Shame
> Dominate Development with Jenkins Continuous Integration
> Continuously Automate Build, Test & Deployment
> Start a new project now. Try Jenkins in the cloud.
> http://p.sf.net/sfu/13600_Cloudbees
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>
> Please visit http://blog.snort.org to stay current on all the latest
> Snort news!
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140410/bf5f0664/attachment.html>


More information about the Snort-users mailing list