[Snort-users] Alerts were Generated on my Snort IDS box for the Heartbleed Vulnerability

Joel Esler (jesler) jesler at ...589...
Sun Apr 13 19:08:55 EDT 2014


Patch OpenSSL. 

--
Joel Esler
Sent from my iPhone

> On Apr 13, 2014, at 15:11, "Teo En Ming" <teo.en.ming at ...11827...> wrote:
> 
> Hi,
> 
> I went to the following mcafee.com site to check my website for the heartbleed vulnerability.
> 
> http://tif.mcafee.com/heartbleedtest
> 
> Snort rules which detect the heartbleed vulnerability were fired. These snort rules come from the Snort community rules which I added a short while ago.
> 
> The Snort alerts which are generated for the heartbleed vulnerability are as follows:
> 
> 04/14-02:54:29.148070  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 161.69.31.4:50847 -> 192.168.1.146:443
> 04/14-02:54:29.148663  [**] [1:30516:6] SERVER-OTHER TLSv1.1 large heartbeat response - possible ssl heartbleed attempt [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.1.146:443 -> 161.69.31.4:50847
> 04/14-02:54:29.354600  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 161.69.31.4:50847 -> 192.168.1.146:443
> 04/14-02:54:29.354600  [**] [1:30512:5] SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 161.69.31.4:50847 -> 192.168.1.146:443
> 
> What are the remedial steps to fix the heartbleed vulnerability on my web server?
> 
> Thank you very much.
> 
> Teo En Ming
> 
> 
> ------------------------------------------------------------------------------
> Put Bad Developers to Shame
> Dominate Development with Jenkins Continuous Integration
> Continuously Automate Build, Test & Deployment 
> Start a new project now. Try Jenkins in the cloud.
> http://p.sf.net/sfu/13600_Cloudbees
> _______________________________________________
> Snort-users mailing list
> Snort-users at lists.sourceforge.net
> Go to this URL to change user options or unsubscribe:
> https://lists.sourceforge.net/lists/listinfo/snort-users
> Snort-users list archive:
> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
> 
> Please visit http://blog.snort.org to stay current on all the latest Snort news!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140413/1f617e54/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2322 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140413/1f617e54/attachment.bin>


More information about the Snort-users mailing list