[Bro] Detecting heartbleed activity

M K mkhan04 at gmail.com
Thu Apr 10 05:37:11 PDT 2014

Heartbleed is extremely difficult to detect without doing an inspection of
the TLS traffic. The biggest indicator is that a heartbeat message response
is larger than the request. But with regular https traffic, as an example,
you'll see similar looking payloads, just as a matter of course. I.e., a
GET request which is X kB will garner a response that is Y kB (where Y is
greater than X).

If you take a look at the branch that the bro folks released to detect
heartbleed, they specifically inspect the heartbeat message if a cipher
spec hasn't been chosen. And if a cipher has been chosen, compare the
payload sizes of the heartbeat request/response (TLS Record information is
in the clear, even if the actual record is encrypted).

I'm not sure you can come up with a reliable and simple means of finding it
through the information in the connection log. But I'd like to be wrong in
this instance. If anybody disagrees with me, I'd really really like to know
as it'd would help me (and a bunch of folks) out.

On Thu, Apr 10, 2014 at 8:24 AM, James Lay <jlay at slave-tothe-box.net> wrote:

>  So...I'd like to be able to see if any heartbleed activity was happening
> before everyone knew about it.  I'm thinking I'd see this in the conn.log
> with data leaving the server.  Any thoughts or pointers we could use to
> check?  Thanks all.
> James
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140410/e5f02d65/attachment.html 

More information about the Bro mailing list