This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Heartbleed

Anonymous
Not applicable

‎2014-04-09 09:43 AM

By now you should have all heard about the Heartbleed flaw:

Here’s everything you need to know about the Heartbleed web security flaw — Tech News and Analysis

 

I just spoke to the Live content team and they are working on creating an application rule to detect Heartbleed activity. Hopefully it will be available in the next 24 hours.

0 Likes
42 REPLIES 42

RSAAdmin
Beginner
Beginner
In response to RSAAdmin

‎2014-04-10 12:40 PM

To detect vulnerable  servers, look for instances of “openssl vulnerable to heartbleed” under the risk.informational. For detecting exploit attempts, look for “heartbleed data leak” under risk.warning.

0 Likes

Anonymous
Not applicable
In response to RSAAdmin

‎2014-04-10 12:41 PM

The file is small, only 6kb in size.  Do you have an email I could send it to?  I would rather not put the pcap in public. 

0 Likes

RSAAdmin
Beginner
Beginner
In response to RSAAdmin

‎2014-04-10 12:43 PM

The attack detection in the TLS-flex and TLS_lua parsers will register,

 

    risk.warning: "heartbleed data leak"

 

The app rule mentioned above has been folded into the TLS-flex / TLS_lua parsers as well, so it is not necessary to create it separately.  It will register,

 

    risk.informational: "openssl vulnerable to heartbleed"

0 Likes

RSAAdmin
Beginner
Beginner
In response to Anonymous

‎2014-04-10 12:45 PM

Obviously we're interested in any attack scenarios that are flying under the *current* parser functionality radar- so this is a big help.

0 Likes

Anonymous
Not applicable
In response to RSAAdmin

‎2014-04-10 12:50 PM

You should be getting the pcap now.

0 Likes

RSAAdmin
Beginner
Beginner
In response to Anonymous

‎2014-04-10 01:03 PM

That doesn't look like a successful attack to me?

 

I see the heartbeat request from the client, and the server ACKs the packet.  But before the server actually sends a heartbeat response, the client FINs and the session is over.  No data leakage.

 

Or is there something I'm missing?

0 Likes

Anonymous
Not applicable
In response to RSAAdmin

‎2014-04-10 01:27 PM

Very well could not be a successful attack.  I was going based on Heartbleed: Packet Capture | Didier Stevens and the malformed heartbeat request was very similar to the one found in the pcap. 

0 Likes

Anonymous
Not applicable
In response to RSAAdmin

‎2014-04-10 02:55 PM

My other post is apparently being moderated. But I wanted to confirm that we have now seen this parser work successfully in our network to devices that are still vulnerable.  Good thing I am not the one who manages our certs....

0 Likes

Anonymous
Not applicable
In response to Anonymous

‎2014-04-14 12:37 PM

I find risk.info is not picking up, but risk.warning is picking up.

 

Do you have any pcap that I can use test if tag both risk.info and risk.warning. May not be same pcap could be two different pcaps@

0 Likes

RSAAdmin
Beginner
Beginner
In response to Anonymous

‎2014-04-14 12:56 PM

The risk.info meta is triggered by the same conditions as the app rule mentioned by Fielder here:


server contains 'openssl/1.0.1e','openssl/1.0.1f','openssl/1.0.1a','openssl/1.0.1b','openssl/1.0.1c','openssl/1.0.1d'

 

 

So there needs to be 'server' meta that contains one of those strings.  The 'server' meta itself would be registered by other parsers (most likely one of the HTTP parsers).

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.