2014-04-09 09:43 AM
By now you should have all heard about the Heartbleed flaw:
Here’s everything you need to know about the Heartbleed web security flaw — Tech News and Analysis
I just spoke to the Live content team and they are working on creating an application rule to detect Heartbleed activity. Hopefully it will be available in the next 24 hours.
2014-04-14 01:02 PM
I find hits for this rule server contains 'openssl/1.0.1e','openssl/1.0.1f','openssl/1.0.1a','openssl/1.0.1b','openssl/1.0.1c','openssl/1.0.1d', But not risk.info==“openssl vulnerable to heartbleed”.
2014-04-14 01:14 PM
Would you be able to share a pcap that hits the rule but not the parser?
2014-04-15 10:42 AM
server contains 'openssl/1.0.1e','openssl/1.0.1f','openssl/1.0.1a','openssl/1.0.1b','openssl/1.0.1c','openssl/1.0.1d'
Server header is visible only for http traffic. How is it detecting ssl version of https traffic
Is this parser only looks for server header in http traffic.
I’ll create a case and upload pcap that has http traffic with server header contains ssl version number. But risk.info is not tagged there.
Motley, please send me email so that I can share case number with you to look at pcap.
2014-04-16 09:07 AM
I have issue here, some http traffic also tag as heartbleed, why?
2014-04-16 09:28 AM
Praveen_jpmc: I suspect you may be confusing the functionality of the two alerts?
The risk.informational "openssl version vulnerable..." and the risk.warning "heartbleed data leak" are completely independent capabilities of the parsers - they are in no way dependent upon each other.
risk.informational "openssl version vulnerable..." is functionally identical to the previously mentioned app rule. App rules look at meta, and generate new meta from them. In this case, the app rule looked at "server" meta for the openssl version string.
risk.warning "heartbleed data leak examines the actual contents of TLS heartbeat requests and responses, regardless of TLS version, OpenSSL version, or protocol being encapsulated within the TLS.
2014-04-16 09:31 AM
patriot3w: Is it an HTTPS session? If not, can you share the pcap?
2014-04-16 09:33 AM
It's http sessions, let me send you the pcap privately.
2014-04-16 09:37 AM
can you send me your email? i am not able share the files to you from ECN.
2014-04-16 09:46 AM
Patriot- send it to Michael.shreve@rsa.com and I'll get it to motley
2014-04-16 11:03 AM
thanks guys, i've sent.