Snort mailing list archives
Re: Heartbleed Rule
From: "Jefferson, Shawn" <Shawn.Jefferson () bcferries com>
Date: Fri, 11 Apr 2014 13:54:40 -0600
Thanks everyone! Makes sense.... From: JJC [mailto:cummingsj () gmail com] Sent: April 10, 2014 5:09 PM To: Jefferson, Shawn Cc: Joel Esler (jesler); snort-users () lists sourceforge net Subject: Re: [Snort-users] Heartbleed Rule Beyond what Joel just responded with, if you are looking for internal-internal attacks often you will want your $EXTERNAL_NET variable defined as 'any'. This would then make the rule direction that you noted effective even for inside -> inside traffic inspection. JJC On Thu, Apr 10, 2014 at 4:39 PM, Jefferson, Shawn <Shawn.Jefferson () bcferries com<mailto:Shawn.Jefferson () bcferries com>> wrote: Any reason these rules are $EXTERNAL_NET -> $HOME_NET ? Lot's of false positives otherwise, performance, or something else? I was hoping to use them to detect potential internal network heartbleed attacks, but would have to re-write them to do that (never ideal). Thanks Shawn From: Joel Esler (jesler) [mailto:jesler () cisco com<mailto:jesler () cisco com>] Sent: April 09, 2014 3:55 AM To: Nicholas Bogart Cc: snort-users () lists sourceforge net<mailto:snort-users () lists sourceforge net> Subject: Re: [Snort-users] Heartbleed Rule Nick, Might want to review the latest post on http://vrt-blog.snort.org. -- Joel Esler Sent from my iPhone On Apr 9, 2014, at 4:46, "Nicholas Bogart" <nickybzoss () gmail com<mailto:nickybzoss () gmail com>> wrote: Boss asked me about creating a rule for the OpenSSL Heartbleed. I asked him why not just go update all the servers. He just stared at me. So I am submitting to the community for review and comment the rule I drew up on this proof-of-concept exploit for the heartbleed vulnerability. Exploit - https://gist.github.com/takeshixx/10107280 CVE - https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160 Heartbleed References - http://threatpost.com/seriousness-of-openssl-heartbleed-bug-sets-in/105309 https://threatpost.com/openssl-fixes-tls-vulnerability/105300 alert tcp any any -> $HOME_NET 443 (msg:"Attempted Heartbleed access exploitation for OpenSSL 1.0.1f and lower"; flow: to_server; content:"| 18 03 02 00 03 01 40 00 |"; reference:cve, CVE-2014-0160;) NickyB ------------------------------------------------------------------------------ Put Bad Developers to Shame Dominate Development with Jenkins Continuous Integration Continuously Automate Build, Test & Deployment Start a new project now. Try Jenkins in the cloud. http://p.sf.net/sfu/13600_Cloudbees _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news! ------------------------------------------------------------------------------ Put Bad Developers to Shame Dominate Development with Jenkins Continuous Integration Continuously Automate Build, Test & Deployment Start a new project now. Try Jenkins in the cloud. http://p.sf.net/sfu/13600_Cloudbees _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net<mailto:Snort-users () lists sourceforge net> Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
------------------------------------------------------------------------------ Put Bad Developers to Shame Dominate Development with Jenkins Continuous Integration Continuously Automate Build, Test & Deployment Start a new project now. Try Jenkins in the cloud. http://p.sf.net/sfu/13600_Cloudbees
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Heartbleed Rule Nicholas Bogart (Apr 09)
- Re: Heartbleed Rule Joel Esler (jesler) (Apr 09)
- Re: Heartbleed Rule Nicholas Bogart (Apr 09)
- Re: Heartbleed Rule Jefferson, Shawn (Apr 10)
- Re: Heartbleed Rule Joel Esler (jesler) (Apr 10)
- Re: Heartbleed Rule JJC (Apr 10)
- Re: Heartbleed Rule Jefferson, Shawn (Apr 11)
- Re: Heartbleed Rule Joel Esler (jesler) (Apr 09)