[Bro] Detecting heartbleed activity

Bernhard Amann bernhard at ICSI.Berkeley.EDU
Thu Apr 10 11:42:20 PDT 2014


Did you add that after the line that @loads the heartbleed script?

On Apr 10, 2014, at 11:32 AM, John Hoyt <john.h.hoyt at gmail.com> wrote:

> Thanks Justin,
> 
> I changed it to what you listed, but I'm still getting the following error:
> 
> error in /bro/share/bro/site/local.bro, line 95: unknown identifier Heartbleed::SSL_Heartbeat_Attack_Success, at or near "Heartbleed::SSL_Heartbeat_Attack_Success"
> 
> 
> On Thu, Apr 10, 2014 at 2:20 PM, Justin Azoff <JAzoff at albany.edu> wrote:
> On Thu, Apr 10, 2014 at 02:12:28PM -0400, John Hoyt wrote:
> > I'm attempting to add an email alert for these, but I'm getting an error.  This
> > is my first time attempting this, so I may have something wrong with syntax.
> >
> > Here is what I've added to local.bro.
> >
> >
> > hook Notice::policy(n: Notice::Info)
> >
> >         {
> >
> >         if ( n$note == SSL::SSL_Heartbeat_Attack_Success )
> >
> >                 add n$actions[Notice::ACTION_EMAIL];
> >
> >         }
> 
> The heartbleed module is in the Heartbleed namespace so the notice is
> 
> Heartbleed::SSL_Heartbeat_Attack_Success
> 
> Also, there is a helper for that sort of thing, you can simply:
> 
> redef Notice::emailed_types += {
>     Heartbleed::SSL_Heartbeat_Attack_Success,
> };
> 
> --
> -- Justin Azoff
> 
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro





More information about the Bro mailing list