[Bro] Detecting heartbleed activity

Alex Waher alexwis at gmail.com
Thu Apr 10 16:19:02 PDT 2014


I had the heartbeat branch running for a few hours (very successfully
detecting activity!) and noticed it eventually had the manager worker
consuming +70gb of memory. Wasn't sure if the leak was from the heartbeat
capability itself or something else along the current git repo.. ymmv!


On Thu, Apr 10, 2014 at 3:46 PM, Bernhard Amann
<bernhard at icsi.berkeley.edu>wrote:

> https://github.com/bro/bro/tree/topic/bernhard/heartbeat - the script is
> in scripts/policy/protocols/ssl/heartbleed.bro
>
> Make sure to use the linked branch (topic/bernhard/heartbeat)
>
> Bernhard
>
> On Apr 10, 2014, at 3:22 PM, John Babio <jbabio at me.com> wrote:
>
> > Do you have a github with this script in it? Thanks!
> >
> > On Apr 10, 2014, at 04:29 PM, John Hoyt <john.h.hoyt at gmail.com> wrote:
> >
> >> After implementing it just a little while ago, I've had eight
> notifications.  Half of which look to be vulnerable servers.
> >>
> >> So, I'd say so far good.
> >>
> >> -John
> >>
> >>
> >> On Thu, Apr 10, 2014 at 4:11 PM, Gary Faulkner <gary at doit.wisc.edu>
> wrote:
> >> Just curious how the heartbleed Bro build is running for folks. Any
> problems?
> >>
> >> On 4/10/2014 2:03 PM, John Hoyt wrote:
> >>> That did it. :-)
> >>>
> >>> Thanks!
> >>>
> >>>
> >>> On Thu, Apr 10, 2014 at 2:42 PM, Bernhard Amann <
> bernhard at icsi.berkeley.edu> wrote:
> >>> Did you add that after the line that @loads the heartbleed script?
> >>>
> >>> On Apr 10, 2014, at 11:32 AM, John Hoyt <john.h.hoyt at gmail.com> wrote:
> >>>
> >>>> Thanks Justin,
> >>>>
> >>>> I changed it to what you listed, but I'm still getting the following
> error:
> >>>>
> >>>> error in /bro/share/bro/site/local.bro, line 95: unknown identifier
> Heartbleed::SSL_Heartbeat_Attack_Success, at or near
> "Heartbleed::SSL_Heartbeat_Attack_Success"
> >>>>
> >>>>
> >>>> On Thu, Apr 10, 2014 at 2:20 PM, Justin Azoff <JAzoff at albany.edu>
> wrote:
> >>>> On Thu, Apr 10, 2014 at 02:12:28PM -0400, John Hoyt wrote:
> >>>>> I'm attempting to add an email alert for these, but I'm getting an
> error.  This
> >>>>> is my first time attempting this, so I may have something wrong with
> syntax.
> >>>>>
> >>>>> Here is what I've added to local.bro.
> >>>>>
> >>>>>
> >>>>> hook Notice::policy(n: Notice::Info)
> >>>>>
> >>>>>        {
> >>>>>
> >>>>>        if ( n$note == SSL::SSL_Heartbeat_Attack_Success )
> >>>>>
> >>>>>                add n$actions[Notice::ACTION_EMAIL];
> >>>>>
> >>>>>        }
> >>>>
> >>>> The heartbleed module is in the Heartbleed namespace so the notice is
> >>>>
> >>>> Heartbleed::SSL_Heartbeat_Attack_Success
> >>>>
> >>>> Also, there is a helper for that sort of thing, you can simply:
> >>>>
> >>>> redef Notice::emailed_types += {
> >>>>    Heartbleed::SSL_Heartbeat_Attack_Success,
> >>>> };
> >>>>
> >>>> --
> >>>> -- Justin Azoff
> >>>>
> >>>> _______________________________________________
> >>>> Bro mailing list
> >>>> bro at bro-ids.org
> >>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> >>>
> >>>
> >>>
> >>>
> >>> _______________________________________________
> >>> Bro mailing list
> >>>
> >>> bro at bro-ids.org
> >>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> >>
> >>
> >> _______________________________________________
> >> Bro mailing list
> >> bro at bro-ids.org
> >> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> >>
> >> _______________________________________________
> >> Bro mailing list
> >> bro at bro-ids.org
> >> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> > _______________________________________________
> > Bro mailing list
> > bro at bro-ids.org
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140410/cb08cfea/attachment.html 


More information about the Bro mailing list