[Snort-users] Suspicious hacker activity detected?

Michael Brown mike.a.brown09 at ...11827...
Mon Apr 14 11:37:26 EDT 2014


Thanks!

---
Thank you,

Michael A. Brown
mike.a.brown09 at ...11827...
(757) 912-0836
M.S. Forensic Studies: Computer Forensics
B.S. Information Technology: Network Specialist

"The only thing necessary for the triumph of evil is for good men to do
nothing" -Edmund Burke


On Mon, Apr 14, 2014 at 11:24 AM, Teo En Ming <teo.en.ming at ...11827...> wrote:

> Hi,
>
> You can download the Snort community rules from
> http://www.snort.org/snort-rules/
>
> The OpenSSL heartbleed snort signatures are in the community rules.
>
> Regards,
>
> Teo En Ming
>
>
> On Mon, Apr 14, 2014 at 11:19 PM, Michael Brown <mike.a.brown09 at ...11827...>wrote:
>
>> Are the heartbleed snort signatures open source or they only for VRT
>> subscribers?
>>
>> ---
>> Thank you,
>>
>> Michael A. Brown
>> mike.a.brown09 at ...11827...
>> (757) 912-0836
>> M.S. Forensic Studies: Computer Forensics
>> B.S. Information Technology: Network Specialist
>>
>> "The only thing necessary for the triumph of evil is for good men to do
>> nothing" -Edmund Burke
>>
>>
>> On Mon, Apr 14, 2014 at 11:13 AM, Nicholas Mavis (nmavis) <
>> nmavis at ...589...> wrote:
>>
>>>  Yes, this is a sign and it also looks like you are vulnerable.
>>>
>>>  Nick
>>>
>>>   From: Teo En Ming <teo.en.ming at ...11827...>
>>> Date: Monday, April 14, 2014 at 11:06 AM
>>> To: Snort Users <snort-users at lists.sourceforge.net>
>>> Subject: [Snort-users] Suspicious hacker activity detected?
>>>
>>>    Hi,
>>>
>>>  My HTTPS web server, POP3S and IMAPS ports were probed for the OpenSSL
>>> heartbleed vulnerability without my knowledge and authorization. Is it a
>>> sign of hacker activity? Please look at the Snort alerts below.
>>>
>>> [root at ...274... snort]# grep heartbeat snort.fast | grep -v 161.69.31.4
>>> 04/14-04:34:45.168194  [**] [1:30516:6] SERVER-OTHER TLSv1.1 large
>>> heartbeat response - possible ssl heartbleed attempt [**] [Classification:
>>> Attempted Information Leak] [Priority: 2] {TCP} 192.168.1.146:443 ->
>>> 185.35.61.19:41201
>>> 04/14-09:31:58.763823  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1
>>> heartbeat read overrun attempt [**] [Classification: Attempted Information
>>> Leak] [Priority: 2] {TCP} 183.60.243.189:46524 -> 192.168.1.147:993
>>> 04/14-09:31:58.764609  [**] [1:30516:6] SERVER-OTHER TLSv1.1 large
>>> heartbeat response - possible ssl heartbleed attempt [**] [Classification:
>>> Attempted Information Leak] [Priority: 2] {TCP} 192.168.1.147:993 ->
>>> 183.60.243.189:46524
>>> 04/14-09:31:59.025988  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1
>>> heartbeat read overrun attempt [**] [Classification: Attempted Information
>>> Leak] [Priority: 2] {TCP} 183.60.243.189:46524 -> 192.168.1.147:993
>>> 04/14-09:36:47.578766  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1
>>> heartbeat read overrun attempt [**] [Classification: Attempted Information
>>> Leak] [Priority: 2] {TCP} 183.60.244.46:55346 -> 192.168.1.147:995
>>> 04/14-09:36:47.579841  [**] [1:30516:6] SERVER-OTHER TLSv1.1 large
>>> heartbeat response - possible ssl heartbleed attempt [**] [Classification:
>>> Attempted Information Leak] [Priority: 2] {TCP} 192.168.1.147:995 ->
>>> 183.60.244.46:55346
>>> 04/14-09:36:47.775693  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1
>>> heartbeat read overrun attempt [**] [Classification: Attempted Information
>>> Leak] [Priority: 2] {TCP} 183.60.244.46:55346 -> 192.168.1.147:995
>>> 04/14-09:36:47.775693  [**] [1:30512:5] SERVER-OTHER OpenSSL TLSv1.1
>>> heartbeat read overrun attempt [**] [Classification: Attempted Information
>>> Leak] [Priority: 2] {TCP} 183.60.244.46:55346 -> 192.168.1.147:995
>>> 04/14-10:13:25.031989  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1
>>> heartbeat read overrun attempt [**] [Classification: Attempted Information
>>> Leak] [Priority: 2] {TCP} 101.226.19.76:31223 -> 192.168.1.146:443
>>> 04/14-10:13:25.032841  [**] [1:30516:6] SERVER-OTHER TLSv1.1 large
>>> heartbeat response - possible ssl heartbleed attempt [**] [Classification:
>>> Attempted Information Leak] [Priority: 2] {TCP} 192.168.1.146:443 ->
>>> 101.226.19.76:31223
>>> 04/14-10:13:25.262897  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1
>>> heartbeat read overrun attempt [**] [Classification: Attempted Information
>>> Leak] [Priority: 2] {TCP} 101.226.19.76:31223 -> 192.168.1.146:443
>>> 04/14-10:13:25.262897  [**] [1:30512:5] SERVER-OTHER OpenSSL TLSv1.1
>>> heartbeat read overrun attempt [**] [Classification: Attempted Information
>>> Leak] [Priority: 2] {TCP} 101.226.19.76:31223 -> 192.168.1.146:443
>>> 04/14-11:51:26.034725  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1
>>> heartbeat read overrun attempt [**] [Classification: Attempted Information
>>> Leak] [Priority: 2] {TCP} 180.153.198.190:25521 -> 192.168.1.147:993
>>> 04/14-11:51:26.035167  [**] [1:30516:6] SERVER-OTHER TLSv1.1 large
>>> heartbeat response - possible ssl heartbleed attempt [**] [Classification:
>>> Attempted Information Leak] [Priority: 2] {TCP} 192.168.1.147:993 ->
>>> 180.153.198.190:25521
>>> 04/14-11:51:26.232356  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1
>>> heartbeat read overrun attempt [**] [Classification: Attempted Information
>>> Leak] [Priority: 2] {TCP} 180.153.198.190:25521 -> 192.168.1.147:993
>>> 04/14-11:51:26.232356  [**] [1:30512:5] SERVER-OTHER OpenSSL TLSv1.1
>>> heartbeat read overrun attempt [**] [Classification: Attempted Information
>>> Leak] [Priority: 2] {TCP} 180.153.198.190:25521 -> 192.168.1.147:993
>>> 04/14-12:01:46.374268  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1
>>> heartbeat read overrun attempt [**] [Classification: Attempted Information
>>> Leak] [Priority: 2] {TCP} 180.153.198.219:50214 -> 192.168.1.147:995
>>> 04/14-12:01:46.375062  [**] [1:30516:6] SERVER-OTHER TLSv1.1 large
>>> heartbeat response - possible ssl heartbleed attempt [**] [Classification:
>>> Attempted Information Leak] [Priority: 2] {TCP} 192.168.1.147:995 ->
>>> 180.153.198.219:50214
>>> 04/14-12:01:46.597640  [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1
>>> heartbeat read overrun attempt [**] [Classification: Attempted Information
>>> Leak] [Priority: 2] {TCP} 180.153.198.219:50214 -> 192.168.1.147:995
>>> 04/14-12:01:46.597640  [**] [1:30512:5] SERVER-OTHER OpenSSL TLSv1.1
>>> heartbeat read overrun attempt [**] [Classification: Attempted Information
>>> Leak] [Priority: 2] {TCP} 180.153.198.219:50214 -> 192.168.1.147:995
>>>
>>>  Yours sincerely,
>>>
>>>  Teo En Ming
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Learn Graph Databases - Download FREE O'Reilly Book
>>> "Graph Databases" is the definitive new guide to graph databases and
>>> their
>>> applications. Written by three acclaimed leaders in the field,
>>> this first edition is now available. Download your free book today!
>>> http://p.sf.net/sfu/NeoTech
>>> _______________________________________________
>>> Snort-users mailing list
>>> Snort-users at lists.sourceforge.net
>>> Go to this URL to change user options or unsubscribe:
>>> https://lists.sourceforge.net/lists/listinfo/snort-users
>>> Snort-users list archive:
>>> http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users
>>>
>>> Please visit http://blog.snort.org to stay current on all the latest
>>> Snort news!
>>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-users/attachments/20140414/6c165dbe/attachment.html>


More information about the Snort-users mailing list