[Bro] Detecting heartbleed activity
Justin Azoff
JAzoff at albany.edu
Thu Apr 10 11:20:26 PDT 2014
On Thu, Apr 10, 2014 at 02:12:28PM -0400, John Hoyt wrote:
> I'm attempting to add an email alert for these, but I'm getting an error. This
> is my first time attempting this, so I may have something wrong with syntax.
>
> Here is what I've added to local.bro.
>
>
> hook Notice::policy(n: Notice::Info)
>
> {
>
> if ( n$note == SSL::SSL_Heartbeat_Attack_Success )
>
> add n$actions[Notice::ACTION_EMAIL];
>
> }
The heartbleed module is in the Heartbleed namespace so the notice is
Heartbleed::SSL_Heartbeat_Attack_Success
Also, there is a helper for that sort of thing, you can simply:
redef Notice::emailed_types += {
Heartbleed::SSL_Heartbeat_Attack_Success,
};
--
-- Justin Azoff
More information about the Bro
mailing list