Snort mailing list archives
Re: Alerts were Generated on my Snort IDS box for the Heartbleed Vulnerability
From: "Joel Esler (jesler)" <jesler () cisco com>
Date: Sun, 13 Apr 2014 23:09:24 +0000
Well, the responses shouldn't fire unless you actually are vulnerable. -- Joel Esler Sent from my iPhone
On Apr 13, 2014, at 15:17, "Jeremy Hoel" <jthoel () gmail com> wrote: Snort isn't telling you that you are vulnerable. Its telling you that someone made an attempt, which you did when you asked McAfee to scan your ip. That's up to the result of the scan from McAfee, if its true or false. The rules tell you that they are attempts. That's all.On Apr 13, 2014 1:12 PM, "Teo En Ming" <teo.en.ming () gmail com> wrote: Hi, I went to the following mcafee.com site to check my website for the heartbleed vulnerability. http://tif.mcafee.com/heartbleedtest Snort rules which detect the heartbleed vulnerability were fired. These snort rules come from the Snort community rules which I added a short while ago. The Snort alerts which are generated for the heartbleed vulnerability are as follows: 04/14-02:54:29.148070 [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 161.69.31.4:50847 -> 192.168.1.146:443 04/14-02:54:29.148663 [**] [1:30516:6] SERVER-OTHER TLSv1.1 large heartbeat response - possible ssl heartbleed attempt [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 192.168.1.146:443 -> 161.69.31.4:50847 04/14-02:54:29.354600 [**] [1:30524:1] SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 161.69.31.4:50847 -> 192.168.1.146:443 04/14-02:54:29.354600 [**] [1:30512:5] SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt [**] [Classification: Attempted Information Leak] [Priority: 2] {TCP} 161.69.31.4:50847 -> 192.168.1.146:443 What are the remedial steps to fix the heartbleed vulnerability on my web server? Thank you very much. Teo En Ming ------------------------------------------------------------------------------ Put Bad Developers to Shame Dominate Development with Jenkins Continuous Integration Continuously Automate Build, Test & Deployment Start a new project now. Try Jenkins in the cloud. http://p.sf.net/sfu/13600_Cloudbees _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!------------------------------------------------------------------------------ Put Bad Developers to Shame Dominate Development with Jenkins Continuous Integration Continuously Automate Build, Test & Deployment Start a new project now. Try Jenkins in the cloud. http://p.sf.net/sfu/13600_Cloudbees _______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Attachment:
smime.p7s
Description:
------------------------------------------------------------------------------ Put Bad Developers to Shame Dominate Development with Jenkins Continuous Integration Continuously Automate Build, Test & Deployment Start a new project now. Try Jenkins in the cloud. http://p.sf.net/sfu/13600_Cloudbees
_______________________________________________ Snort-users mailing list Snort-users () lists sourceforge net Go to this URL to change user options or unsubscribe: https://lists.sourceforge.net/lists/listinfo/snort-users Snort-users list archive: http://sourceforge.net/mailarchive/forum.php?forum_name=snort-users Please visit http://blog.snort.org to stay current on all the latest Snort news!
Current thread:
- Alerts were Generated on my Snort IDS box for the Heartbleed Vulnerability Teo En Ming (Apr 13)
- Re: Alerts were Generated on my Snort IDS box for the Heartbleed Vulnerability Jeremy Hoel (Apr 13)
- Re: Alerts were Generated on my Snort IDS box for the Heartbleed Vulnerability Joel Esler (jesler) (Apr 13)
- Re: Alerts were Generated on my Snort IDS box for the Heartbleed Vulnerability Joel Esler (jesler) (Apr 13)
- Re: Alerts were Generated on my Snort IDS box for the Heartbleed Vulnerability Teo En Ming (Apr 14)
- Re: Alerts were Generated on my Snort IDS box for the Heartbleed Vulnerability Jeremy Hoel (Apr 13)