[Bro] Detecting heartbleed activity
John Hoyt
john.h.hoyt at gmail.com
Thu Apr 10 11:32:29 PDT 2014
Thanks Justin,
I changed it to what you listed, but I'm still getting the following error:
error in /bro/share/bro/site/local.bro, line 95: unknown identifier
Heartbleed::SSL_Heartbeat_Attack_Success, at or near
"Heartbleed::SSL_Heartbeat_Attack_Success"
On Thu, Apr 10, 2014 at 2:20 PM, Justin Azoff <JAzoff at albany.edu> wrote:
> On Thu, Apr 10, 2014 at 02:12:28PM -0400, John Hoyt wrote:
> > I'm attempting to add an email alert for these, but I'm getting an
> error. This
> > is my first time attempting this, so I may have something wrong with
> syntax.
> >
> > Here is what I've added to local.bro.
> >
> >
> > hook Notice::policy(n: Notice::Info)
> >
> > {
> >
> > if ( n$note == SSL::SSL_Heartbeat_Attack_Success )
> >
> > add n$actions[Notice::ACTION_EMAIL];
> >
> > }
>
> The heartbleed module is in the Heartbleed namespace so the notice is
>
> Heartbleed::SSL_Heartbeat_Attack_Success
>
> Also, there is a helper for that sort of thing, you can simply:
>
> redef Notice::emailed_types += {
> Heartbleed::SSL_Heartbeat_Attack_Success,
> };
>
> --
> -- Justin Azoff
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140410/10ce25c8/attachment.html
More information about the Bro
mailing list