[Bro] Detecting heartbleed activity

John Hoyt john.h.hoyt at gmail.com
Thu Apr 10 12:03:24 PDT 2014


That did it. :-)

Thanks!


On Thu, Apr 10, 2014 at 2:42 PM, Bernhard Amann
<bernhard at icsi.berkeley.edu>wrote:

> Did you add that after the line that @loads the heartbleed script?
>
> On Apr 10, 2014, at 11:32 AM, John Hoyt <john.h.hoyt at gmail.com> wrote:
>
> > Thanks Justin,
> >
> > I changed it to what you listed, but I'm still getting the following
> error:
> >
> > error in /bro/share/bro/site/local.bro, line 95: unknown identifier
> Heartbleed::SSL_Heartbeat_Attack_Success, at or near
> "Heartbleed::SSL_Heartbeat_Attack_Success"
> >
> >
> > On Thu, Apr 10, 2014 at 2:20 PM, Justin Azoff <JAzoff at albany.edu> wrote:
> > On Thu, Apr 10, 2014 at 02:12:28PM -0400, John Hoyt wrote:
> > > I'm attempting to add an email alert for these, but I'm getting an
> error.  This
> > > is my first time attempting this, so I may have something wrong with
> syntax.
> > >
> > > Here is what I've added to local.bro.
> > >
> > >
> > > hook Notice::policy(n: Notice::Info)
> > >
> > >         {
> > >
> > >         if ( n$note == SSL::SSL_Heartbeat_Attack_Success )
> > >
> > >                 add n$actions[Notice::ACTION_EMAIL];
> > >
> > >         }
> >
> > The heartbleed module is in the Heartbleed namespace so the notice is
> >
> > Heartbleed::SSL_Heartbeat_Attack_Success
> >
> > Also, there is a helper for that sort of thing, you can simply:
> >
> > redef Notice::emailed_types += {
> >     Heartbleed::SSL_Heartbeat_Attack_Success,
> > };
> >
> > --
> > -- Justin Azoff
> >
> > _______________________________________________
> > Bro mailing list
> > bro at bro-ids.org
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140410/b6d03dd4/attachment.html 


More information about the Bro mailing list