This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Discussions

Heartbleed

Anonymous
Not applicable

‎2014-04-09 09:43 AM

By now you should have all heard about the Heartbleed flaw:

Here’s everything you need to know about the Heartbleed web security flaw — Tech News and Analysis

 

I just spoke to the Live content team and they are working on creating an application rule to detect Heartbleed activity. Hopefully it will be available in the next 24 hours.

0 Likes
42 REPLIES 42

Anonymous
Not applicable
In response to RSAAdmin

‎2014-04-14 01:02 PM

I find hits for this rule server contains 'openssl/1.0.1e','openssl/1.0.1f','openssl/1.0.1a','openssl/1.0.1b','openssl/1.0.1c','openssl/1.0.1d', But not risk.info==“openssl vulnerable to heartbleed”.

0 Likes

RSAAdmin
Beginner
Beginner
In response to Anonymous

‎2014-04-14 01:14 PM

Would you be able to share a pcap that hits the rule but not the parser?

0 Likes

Anonymous
Not applicable
In response to RSAAdmin

‎2014-04-15 10:42 AM

server contains 'openssl/1.0.1e','openssl/1.0.1f','openssl/1.0.1a','openssl/1.0.1b','openssl/1.0.1c','openssl/1.0.1d'

Server header is visible only for http traffic. How is it detecting ssl version of https traffic

Is this parser only looks for server header in http traffic.

 

I’ll create a case and upload pcap that has http traffic with server header contains ssl version number. But risk.info is not tagged there.

 

Motley, please send me email so that I can share case number with you to look at pcap.

0 Likes

huanzhou1
Beginner
Beginner
In response to Anonymous

‎2014-04-16 09:07 AM

I have issue here, some http traffic also tag as heartbleed, why?

0 Likes

RSAAdmin
Beginner
Beginner
In response to Anonymous

‎2014-04-16 09:28 AM

Praveen_jpmc:  I suspect you may be confusing the functionality of the two alerts?

 

The risk.informational "openssl version vulnerable..." and the risk.warning "heartbleed data leak" are completely independent capabilities of the parsers - they are in no way dependent upon each other.

 

risk.informational "openssl version vulnerable..." is functionally identical to the previously mentioned app rule.  App rules look at meta, and generate new meta from them.  In this case, the app rule looked at "server" meta for the openssl version string.

 

risk.warning "heartbleed data leak examines the actual contents of TLS heartbeat requests and responses, regardless of TLS version, OpenSSL version, or protocol being encapsulated within the TLS.

0 Likes

RSAAdmin
Beginner
Beginner
In response to huanzhou1

‎2014-04-16 09:31 AM

patriot3w:  Is it an HTTPS session?  If not, can you share the pcap?

0 Likes

huanzhou1
Beginner
Beginner
In response to RSAAdmin

‎2014-04-16 09:33 AM

It's http sessions, let me send you the pcap privately.

0 Likes

huanzhou1
Beginner
Beginner
In response to huanzhou1

‎2014-04-16 09:37 AM

can you send me your email? i am not able share the files to you from ECN.

0 Likes

RSAAdmin
Beginner
Beginner
In response to huanzhou1

‎2014-04-16 09:46 AM

Patriot- send it to Michael.shreve@rsa.com and I'll get it to motley

0 Likes

huanzhou1
Beginner
Beginner
In response to RSAAdmin

‎2014-04-16 11:03 AM

thanks guys, i've sent.

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.