[Bro] Detecting heartbleed activity

John Landers jlanders at paymetric.com
Thu Apr 10 06:33:40 PDT 2014


>From using the proof-of-concept code on my servers to validate before/after patching the vulnerability, I found the following common criteria in the Bro conn log:

orig_bytes=241 
protocol=tcp 
resp_port=443

Using this criteria in a search, and grouping by orig_ip, I was able to find all of the known attempts in my log from April 8. When I searched through historical logs, I had one false positive using the search but I don't know how many false negatives this produced.

Whether or not this search would work is completely dependent on your standard SSL traffic. You could try searching for orig_bytes < 250 and resp_bytes > 30000 but I suspect that won't work if your organization is offering downloads or rich web content...



John Landers

-----Original Message-----
From: bro-bounces at bro.org [mailto:bro-bounces at bro.org] On Behalf Of Seth Hall
Sent: Thursday, April 10, 2014 8:02 AM
To: M K
Cc: Bro-IDS
Subject: Re: [Bro] Detecting heartbleed activity


On Apr 10, 2014, at 8:37 AM, M K <mkhan04 at gmail.com> wrote:

> I'm not sure you can come up with a reliable and simple means of finding it through the information in the connection log.

You're correct, I don't believe that the attack is apparent in any Bro logs in our releases.  The only way at the moment to detect heartbleed with Bro is to use Bernhard's branch (although I'd love to be proven wrong if someone figures out a way to catch it!)

  .Seth


--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro.org/





More information about the Bro mailing list