<div dir="ltr"><div>Beyond what Joel just responded with, if you are looking for internal-internal attacks often you will want your $EXTERNAL_NET variable defined as 'any'.  This would then make the rule direction that you noted effective even for inside -> inside traffic inspection.<br>
<br></div>JJC<br></div><div class="gmail_extra"><br><br><div class="gmail_quote">On Thu, Apr 10, 2014 at 4:39 PM, Jefferson, Shawn <span dir="ltr"><<a href="mailto:Shawn.Jefferson@...14448..." target="_blank">Shawn.Jefferson@...14448...</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div link="blue" vlink="purple" lang="EN-CA"><div><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Any reason these rules are $EXTERNAL_NET -> $HOME_NET ?  Lot’s of false positives otherwise, performance, or something else?  <u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">I was hoping to use them to detect potential internal network heartbleed attacks, but would have to re-write them to do that (never ideal).<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Thanks<u></u><u></u></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Shawn<u></u><u></u></span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"><u></u> <u></u></span></p>
<div><div style="border:none;border-top:solid #b5c4df 1.0pt;padding:3.0pt 0cm 0cm 0cm"><p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"" lang="EN-US">From:</span></b><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"" lang="EN-US"> Joel Esler (jesler) [mailto:<a href="mailto:jesler@...589..." target="_blank">jesler@...589...</a>] <br>
<b>Sent:</b> April 09, 2014 3:55 AM<br><b>To:</b> Nicholas Bogart<br><b>Cc:</b> <a href="mailto:snort-users@lists.sourceforge.net" target="_blank">snort-users@lists.sourceforge.net</a><br><b>Subject:</b> Re: [Snort-users] Heartbleed Rule<u></u><u></u></span></p>
</div></div><div><div class="h5"><p class="MsoNormal"><u></u> <u></u></p><div><p class="MsoNormal">Nick,<u></u><u></u></p></div><div><p class="MsoNormal"><u></u> <u></u></p></div><div><p class="MsoNormal">Might want to review the latest post on <a href="http://vrt-blog.snort.org" target="_blank">http://vrt-blog.snort.org</a>. <br>
<br>--<u></u><u></u></p><div><p class="MsoNormal">Joel Esler<u></u><u></u></p></div><div><p class="MsoNormal">Sent from my iPhone<u></u><u></u></p></div></div><div><p class="MsoNormal" style="margin-bottom:12.0pt"><br>On Apr 9, 2014, at 4:46, "Nicholas Bogart" <<a href="mailto:nickybzoss@...11827..." target="_blank">nickybzoss@...11827...</a>> wrote:<u></u><u></u></p>
</div><blockquote style="margin-top:5.0pt;margin-bottom:5.0pt"><div><div><div><div><div><div><div><p class="MsoNormal" style="margin-bottom:12.0pt">Boss asked me about creating a rule for the OpenSSL Heartbleed.  I asked him why not just go update all the servers.  He just stared at me.  So I am submitting to the community for review and comment the rule I drew up on this proof-of-concept exploit for the heartbleed vulnerability.<u></u><u></u></p>
</div><p class="MsoNormal">Exploit - <a href="https://gist.github.com/takeshixx/10107280" target="_blank">https://gist.github.com/takeshixx/10107280</a><u></u><u></u></p></div><p class="MsoNormal">CVE - <a href="https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160" target="_blank">https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160</a><u></u><u></u></p>
</div><p class="MsoNormal" style="margin-bottom:12.0pt">Heartbleed References - <br><a href="http://threatpost.com/seriousness-of-openssl-heartbleed-bug-sets-in/105309" target="_blank">http://threatpost.com/seriousness-of-openssl-heartbleed-bug-sets-in/105309</a><br>
<a href="https://threatpost.com/openssl-fixes-tls-vulnerability/105300" target="_blank">https://threatpost.com/openssl-fixes-tls-vulnerability/105300</a><u></u><u></u></p></div><p class="MsoNormal" style="margin-bottom:12.0pt">
alert tcp any any -> $HOME_NET 443 (msg:"Attempted Heartbleed access exploitation for OpenSSL 1.0.1f and lower"; flow: to_server; content:"| 18 03 02 00 03 01 40 00 |"; reference:cve, CVE-2014-0160;)<br>
<br><u></u><u></u></p></div><p class="MsoNormal">NickyB<u></u><u></u></p></div></div></blockquote><blockquote style="margin-top:5.0pt;margin-bottom:5.0pt"><div><p class="MsoNormal">------------------------------------------------------------------------------<br>
Put Bad Developers to Shame<br>Dominate Development with Jenkins Continuous Integration<br>Continuously Automate Build, Test & Deployment <br>Start a new project now. Try Jenkins in the cloud.<br><a href="http://p.sf.net/sfu/13600_Cloudbees" target="_blank">http://p.sf.net/sfu/13600_Cloudbees</a><u></u><u></u></p>
</div></blockquote><blockquote style="margin-top:5.0pt;margin-bottom:5.0pt"><div><p class="MsoNormal">_______________________________________________<br>Snort-users mailing list<br><a href="mailto:Snort-users@...4626...ceforge.net" target="_blank">Snort-users@lists.sourceforge.net</a><br>
Go to this URL to change user options or unsubscribe:<br><a href="https://lists.sourceforge.net/lists/listinfo/snort-users" target="_blank">https://lists.sourceforge.net/lists/listinfo/snort-users</a><br>Snort-users list archive:<br>
<a href="http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users" target="_blank">http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users</a><br><br>Please visit <a href="http://blog.snort.org" target="_blank">http://blog.snort.org</a> to stay current on all the latest Snort news!<u></u><u></u></p>
</div></blockquote></div></div></div></div><br>------------------------------------------------------------------------------<br>
Put Bad Developers to Shame<br>
Dominate Development with Jenkins Continuous Integration<br>
Continuously Automate Build, Test & Deployment<br>
Start a new project now. Try Jenkins in the cloud.<br>
<a href="http://p.sf.net/sfu/13600_Cloudbees" target="_blank">http://p.sf.net/sfu/13600_Cloudbees</a><br>_______________________________________________<br>
Snort-users mailing list<br>
<a href="mailto:Snort-users@lists.sourceforge.net">Snort-users@...4626...ceforge.net</a><br>
Go to this URL to change user options or unsubscribe:<br>
<a href="https://lists.sourceforge.net/lists/listinfo/snort-users" target="_blank">https://lists.sourceforge.net/lists/listinfo/snort-users</a><br>
Snort-users list archive:<br>
<a href="http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users" target="_blank">http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users</a><br>
<br>
Please visit <a href="http://blog.snort.org" target="_blank">http://blog.snort.org</a> to stay current on all the latest Snort news!<br></blockquote></div><br></div>