[Bro] Detecting heartbleed activity

John Hoyt john.h.hoyt at gmail.com
Thu Apr 10 11:12:28 PDT 2014


I'm attempting to add an email alert for these, but I'm getting an error.
 This is my first time attempting this, so I may have something wrong with
syntax.

Here is what I've added to local.bro.

hook Notice::policy(n: Notice::Info)

        {

        if ( n$note == SSL::SSL_Heartbeat_Attack_Success )

                add n$actions[Notice::ACTION_EMAIL];

        }


Here is the error:

error in /bro/share/bro/site/local.bro, line 96: unknown identifier
SSL::SSL_Heartbeat_Attack_Success, at or near
"SSL::SSL_Heartbeat_Attack_Success"

-John


On Thu, Apr 10, 2014 at 12:51 PM, James Lay <jlay at slave-tothe-box.net>wrote:

> On 2014-04-10 06:24, James Lay wrote:
> > So...I'd like to be able to see if any heartbleed activity was
> > happening before everyone knew about it. I'm thinking I'd see this in
> > the conn.log with data leaving the server. Any thoughts or pointers
> > we
> > could use to check? Thanks all.
> >
> >  James
>
> Thanks for the feedback all..very helpful.
>
> James
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140410/af89d2c7/attachment.html 


More information about the Bro mailing list