2014-04-09 09:43 AM
By now you should have all heard about the Heartbleed flaw:
Here’s everything you need to know about the Heartbleed web security flaw — Tech News and Analysis
I just spoke to the Live content team and they are working on creating an application rule to detect Heartbleed activity. Hopefully it will be available in the next 24 hours.
2014-04-10 12:40 PM
To detect vulnerable servers, look for instances of “openssl vulnerable to heartbleed” under the risk.informational. For detecting exploit attempts, look for “heartbleed data leak” under risk.warning.
2014-04-10 12:41 PM
The file is small, only 6kb in size. Do you have an email I could send it to? I would rather not put the pcap in public.
2014-04-10 12:43 PM
The attack detection in the TLS-flex and TLS_lua parsers will register,
risk.warning: "heartbleed data leak"
The app rule mentioned above has been folded into the TLS-flex / TLS_lua parsers as well, so it is not necessary to create it separately. It will register,
risk.informational: "openssl vulnerable to heartbleed"
2014-04-10 12:45 PM
Obviously we're interested in any attack scenarios that are flying under the *current* parser functionality radar- so this is a big help.
2014-04-10 12:50 PM
You should be getting the pcap now.
2014-04-10 01:03 PM
That doesn't look like a successful attack to me?
I see the heartbeat request from the client, and the server ACKs the packet. But before the server actually sends a heartbeat response, the client FINs and the session is over. No data leakage.
Or is there something I'm missing?
2014-04-10 01:27 PM
Very well could not be a successful attack. I was going based on Heartbleed: Packet Capture | Didier Stevens and the malformed heartbeat request was very similar to the one found in the pcap.
2014-04-10 02:55 PM
My other post is apparently being moderated. But I wanted to confirm that we have now seen this parser work successfully in our network to devices that are still vulnerable. Good thing I am not the one who manages our certs....
2014-04-14 12:37 PM
I find risk.info is not picking up, but risk.warning is picking up.
Do you have any pcap that I can use test if tag both risk.info and risk.warning. May not be same pcap could be two different pcaps@
2014-04-14 12:56 PM
The risk.info meta is triggered by the same conditions as the app rule mentioned by Fielder here:
server contains 'openssl/1.0.1e','openssl/1.0.1f','openssl/1.0.1a','openssl/1.0.1b','openssl/1.0.1c','openssl/1.0.1d'
So there needs to be 'server' meta that contains one of those strings. The 'server' meta itself would be registered by other parsers (most likely one of the HTTP parsers).