This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Heartbleed

Anonymous
Not applicable

‎2014-04-09 09:43 AM

By now you should have all heard about the Heartbleed flaw:

Here’s everything you need to know about the Heartbleed web security flaw — Tech News and Analysis

 

I just spoke to the Live content team and they are working on creating an application rule to detect Heartbleed activity. Hopefully it will be available in the next 24 hours.

0 Likes
42 REPLIES 42

RSAAdmin
Beginner
Beginner

‎2014-04-09 10:42 AM

We are testing both an app rule for identifying vulnerable servers and a parser for detecting the 64K leak  associated with Heartbleed.

0 Likes

RSAAdmin
Beginner
Beginner

‎2014-04-10 09:39 AM

looking forward to the app rule...

0 Likes

RSAAdmin
Beginner
Beginner
In response to RSAAdmin

‎2014-04-10 09:46 AM

Content update imminent!  We've put the detection functionality into our TLS parsers. They are being updated to Live shortly. Stay tuned for the announcement

0 Likes

Anonymous
Not applicable
In response to RSAAdmin

‎2014-04-10 10:20 AM

What should be looking for in the Meta to alert on?

0 Likes

RSAAdmin
Beginner
Beginner
In response to Anonymous

‎2014-04-10 11:40 AM

I think it will be a risk.warning-  "heartbleed_data_leaked"

 

Some simple application rules on the decoders can help detect vulnerable versions of Open SSL. It does this by reading server banners when someone connects to a monitored web service via the HTTP Protocol. However, this is an SSL issue, and webhosts that allow only SSL will not trigger detection via these rules.  This is a stop-gap, passive vulnerability application rule and should not be relied upon in place of a rigorous, active vulnerability scanning service.

 

One rule is:

server contains 'openssl/1.0.1e','openssl/1.0.1f','openssl/1.0.1a','openssl/1.0.1b','openssl/1.0.1c','openssl/1.0.1d'

 

Note that this issue is a patching issue.  SA may help in identifying and prioritizing which hosts to patch first, but it is not a substitute to a rigorous scanning and patching effort.  Good luck to all those working long hours getting fixes in place.

0 Likes

Anonymous
Not applicable
In response to RSAAdmin

‎2014-04-10 11:52 AM

Just uploaded a pcap of a heartbleed attack with the new TLS and it does not appear to be catching it 😕

 

Doesn't even show that it used TLS when in wireshark I can see that it did. 

0 Likes

RSAAdmin
Beginner
Beginner
In response to Anonymous

‎2014-04-10 12:01 PM

Sean- which TLS parser were you using? How big is the pcap and is it something I can get?

0 Likes

RSAAdmin
Beginner
Beginner
In response to RSAAdmin

‎2014-04-10 12:13 PM

Just spoke to the gentleman who created the TLS parsers and would very much like to get that pcap if at all possible. Our first run parsers were a bit too specific in what they were attempting to recognize in regards to Heartbleed, so we opened them up a bit. This may or may not have anything to do with your results, but that certainly isn't to say that you haven't captured an attack scenario we haven't seen. We can always improve, however we need to know exactly what is being missed.

0 Likes

RSAAdmin
Beginner
Beginner
In response to RSAAdmin

‎2014-04-10 12:29 PM

risk.warning-  "heartbleed_data_leaked"


Is this the correct meta field that will be alerted on as Fielder suggested when using the TLS parser?

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.