[Bro] Detecting heartbleed activity

Bernhard Amann bernhard at ICSI.Berkeley.EDU
Mon Apr 21 07:52:00 PDT 2014


that site uses the encrypted variant of the attack (hence it sends the
exploit heartbeat frames after encryption has begun).

In this case, it is more difficult to detect the attack than in the simple
case - we cannot just flag all heartbeats because that would introduce
a lot of false positive.

Thus, in case the attack is encrypted, you will only get notices if it was
successful (we still can determine that by comparing sizes), but not if
it was just attempted, sorry. There really is no good way around that.

So - you probably tested against a non-vulnerable server. If you test
against a vulnerable machine, you should get a notice in your log.

I think the heartbeat check by www.ssllabs.com always triggers - they
don’t start encryption before sending the heartbeats.


On Apr 21, 2014, at 7:32 AM, sangdrax8 <sangdrax8 at gmail.com> wrote:

> I have pulled the latest branch, installed and pushed to my hosts.  I
> loaded the heartbleed as indicated, then I am testing with the
> following site (https://filippo.io/Heartbleed/) so I can try and cause
> a notice.  After running the attack,  I can't seem to get a notice
> log.
> So I figure either the attach generated by this site doesn't trigger
> the script to insert a log, or I have something not configured right
> still.  Is there some way I can check to see that I am in fact on this
> branch on all my nodes?  Is there a specific version number or
> something I can verify?
> I can see the file in place, and the load statement in my local.bro,
> so not really sure what else to check.  Any assistance would be much
> appreciated.
> On Mon, Apr 21, 2014 at 8:43 AM, Bernhard Amann
> <bernhard at icsi.berkeley.edu> wrote:
>> On Apr 21, 2014, at 5:33 AM, sangdrax8 <sangdrax8 at gmail.com> wrote:
>>> It appears that the master branch was merged into this heartbeat
>>> branch.  Does this by chance include the memleak-fix merge you
>>> mentioned?  Is this possibly a test before merging these changes into
>>> master its self?
>> It does include the memory leak fixes that were mentioned, if you update
>> the branch to the current state these are included.
>>> Also, it has been a while since I did my install, and I can't recall.
>>> If I do this on my master, then run the broctrl install, does it push
>>> the new install to all the nodes?  I know the configurations get
>>> pushed out, but I can't recall if the entire install is pushed, or
>>> just configuration files.
>> The entire installation is pushed out.
>>> Thank you!
>> You are welcome,
>> Bernhard
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

More information about the Bro mailing list