[Bro] Detecting heartbleed activity
John Hoyt
john.h.hoyt at gmail.com
Thu Apr 10 11:12:28 PDT 2014
I'm attempting to add an email alert for these, but I'm getting an error.
This is my first time attempting this, so I may have something wrong with
syntax.
Here is what I've added to local.bro.
hook Notice::policy(n: Notice::Info)
{
if ( n$note == SSL::SSL_Heartbeat_Attack_Success )
add n$actions[Notice::ACTION_EMAIL];
}
Here is the error:
error in /bro/share/bro/site/local.bro, line 96: unknown identifier
SSL::SSL_Heartbeat_Attack_Success, at or near
"SSL::SSL_Heartbeat_Attack_Success"
-John
On Thu, Apr 10, 2014 at 12:51 PM, James Lay <jlay at slave-tothe-box.net>wrote:
> On 2014-04-10 06:24, James Lay wrote:
> > So...I'd like to be able to see if any heartbleed activity was
> > happening before everyone knew about it. I'm thinking I'd see this in
> > the conn.log with data leaving the server. Any thoughts or pointers
> > we
> > could use to check? Thanks all.
> >
> > James
>
> Thanks for the feedback all..very helpful.
>
> James
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140410/af89d2c7/attachment.html
More information about the Bro
mailing list