[Bro] Detecting heartbleed activity

John Landers jlanders at paymetric.com
Thu Apr 10 06:50:38 PDT 2014

Yep. It's pretty much an impossible task.

John Landers

-----Original Message-----
From: Bernhard Amann [mailto:bernhard at ICSI.Berkeley.EDU] 
Sent: Thursday, April 10, 2014 8:45 AM
To: John Landers
Cc: Seth Hall; M K; Bro-IDS
Subject: Re: [Bro] Detecting heartbleed activity

Note that there is an almost 100% chance that this (and similar) approaches will not work on any attacks that might have happened before the bug was publicly released.

You basically just fingerprint one of the (more common) tools. There is next to no chance that an earlier attack (or even someone using a different tool) will exhibit the same characteristics. All of them will send the TLS records in a slightly different way, perhaps enable encryption before sending them, or - perhaps even send a https request before the heartbeat to make it less obvious in logs.

On Apr 10, 2014, at 6:33 AM, John Landers <jlanders at paymetric.com> wrote:

>> From using the proof-of-concept code on my servers to validate before/after patching the vulnerability, I found the following common criteria in the Bro conn log:
> orig_bytes=241 
> protocol=tcp 
> resp_port=443
> Using this criteria in a search, and grouping by orig_ip, I was able to find all of the known attempts in my log from April 8. When I searched through historical logs, I had one false positive using the search but I don't know how many false negatives this produced.
> Whether or not this search would work is completely dependent on your standard SSL traffic. You could try searching for orig_bytes < 250 and resp_bytes > 30000 but I suspect that won't work if your organization is offering downloads or rich web content...
> John Landers
> -----Original Message-----
> From: bro-bounces at bro.org [mailto:bro-bounces at bro.org] On Behalf Of Seth Hall
> Sent: Thursday, April 10, 2014 8:02 AM
> To: M K
> Cc: Bro-IDS
> Subject: Re: [Bro] Detecting heartbleed activity
> On Apr 10, 2014, at 8:37 AM, M K <mkhan04 at gmail.com> wrote:
>> I'm not sure you can come up with a reliable and simple means of finding it through the information in the connection log.
> You're correct, I don't believe that the attack is apparent in any Bro logs in our releases.  The only way at the moment to detect heartbleed with Bro is to use Bernhard's branch (although I'd love to be proven wrong if someone figures out a way to catch it!)
>  .Seth
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro.org/
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

More information about the Bro mailing list