[Bro] Detecting heartbleed activity

Gary Faulkner gary at doit.wisc.edu
Thu Apr 10 13:11:19 PDT 2014 

Just curious how the heartbleed Bro build is running for folks. Any 
problems?

On 4/10/2014 2:03 PM, John Hoyt wrote:
> That did it. :-)
>
> Thanks!
>
>
> On Thu, Apr 10, 2014 at 2:42 PM, Bernhard Amann 
> <bernhard at icsi.berkeley.edu <mailto:bernhard at icsi.berkeley.edu>> wrote:
>
>     Did you add that after the line that @loads the heartbleed script?
>
>     On Apr 10, 2014, at 11:32 AM, John Hoyt <john.h.hoyt at gmail.com
>     <mailto:john.h.hoyt at gmail.com>> wrote:
>
>     > Thanks Justin,
>     >
>     > I changed it to what you listed, but I'm still getting the
>     following error:
>     >
>     > error in /bro/share/bro/site/local.bro, line 95: unknown
>     identifier Heartbleed::SSL_Heartbeat_Attack_Success, at or near
>     "Heartbleed::SSL_Heartbeat_Attack_Success"
>     >
>     >
>     > On Thu, Apr 10, 2014 at 2:20 PM, Justin Azoff <JAzoff at albany.edu
>     <mailto:JAzoff at albany.edu>> wrote:
>     > On Thu, Apr 10, 2014 at 02:12:28PM -0400, John Hoyt wrote:
>     > > I'm attempting to add an email alert for these, but I'm
>     getting an error.  This
>     > > is my first time attempting this, so I may have something
>     wrong with syntax.
>     > >
>     > > Here is what I've added to local.bro.
>     > >
>     > >
>     > > hook Notice::policy(n: Notice::Info)
>     > >
>     > >         {
>     > >
>     > >         if ( n$note == SSL::SSL_Heartbeat_Attack_Success )
>     > >
>     > >                 add n$actions[Notice::ACTION_EMAIL];
>     > >
>     > >         }
>     >
>     > The heartbleed module is in the Heartbleed namespace so the
>     notice is
>     >
>     > Heartbleed::SSL_Heartbeat_Attack_Success
>     >
>     > Also, there is a helper for that sort of thing, you can simply:
>     >
>     > redef Notice::emailed_types += {
>     >     Heartbleed::SSL_Heartbeat_Attack_Success,
>     > };
>     >
>     > --
>     > -- Justin Azoff
>     >
>     > _______________________________________________
>     > Bro mailing list
>     > bro at bro-ids.org <mailto:bro at bro-ids.org>
>     > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
>
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140410/0b51acfc/attachment.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6257 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140410/0b51acfc/attachment.bin

More information about the Bro mailing list