This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Platform Product Advisories
Read and subscribe to the latest announcements and advisories relating to the NetWitness Platform.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

How to detect the Heartbleed Vulnerability using RSA Security Analytics

What is Heartbleed?

The Heartbleed OpenSSL vulnerability is a serious weakness in specific implementations of the OpenSSL software on servers, Virtual Private Networks and other applications.  For full details on this vulnerability, please visit http://heartbleed.com

 

How can RSA find instances of Heartbleed?

RSA Security Analytics gives users the ability to identify servers vulnerable to the Heartbleed exploit, as well as detect attempts to exploit the service. This is a perfect example of the type of incident investigation and forensics that can be achieved utilizing full packet capture and RSA Security Analytics.  

 

What rules and/or parsers have been created to help find Heartbleed?

Parsers that have been created to address Heartbleed are now available in RSA Live.  These are available for all RSA Live subscription tiers.  The specific parsers are ""TLS"" and ""TLS_lua"". Users subscribed to either of these parsers will be automatically updated. For users that are not currently subscribing to either piece of content, they should disable the default TLS parser and subscribe to one of the two TLS parsers available on RSA Live. For customers running RSA NetWitness / RSA Security Analytics version 10.2 and below, use the Flex parser ""TLS"". For those running versions 10.2 and above, use the LUA parser ""TLS_lua"".

To detect vulnerable  servers, look for instances of ""openssl vulnerable to heartbleed"" under the risk.informational meta-key. For detecting exploit attempts, look for ""heartbleed data leak"" under risk.warning meta-key.

 

Once detected how can Heartbleed be remediated?

To fully remediate this vulnerability, upgrade weak systems to the latest fixed version of OpenSSL and revoke old keys. Renew your SSL certificate, and if applicable, change passwords for sensitive accounts.

 

Important

 

Make sure to subscribe to the parsers on Live, as they will be updated as we find new methods of attack. If you are a Security Analytics for Logs customer, ensure that you are subscribed to the appropriate IDS / IPS log parsers, as they will be updated as vendors release new signature sto detect exploits against the Heartbleed vulnerability

 

 

0 Likes
Was this article helpful? Yes No
No ratings

In this article

Version history
Last update:
‎2014-04-10 08:32 AM
Updated by:
Beginner

Related Content

© 2022 RSA Security LLC or its affiliates. All rights reserved.