[Bro] Detecting heartbleed activity
Gary Faulkner
gary at doit.wisc.edu
Thu Apr 10 13:11:19 PDT 2014
Just curious how the heartbleed Bro build is running for folks. Any
problems?
On 4/10/2014 2:03 PM, John Hoyt wrote:
> That did it. :-)
>
> Thanks!
>
>
> On Thu, Apr 10, 2014 at 2:42 PM, Bernhard Amann
> <bernhard at icsi.berkeley.edu <mailto:bernhard at icsi.berkeley.edu>> wrote:
>
> Did you add that after the line that @loads the heartbleed script?
>
> On Apr 10, 2014, at 11:32 AM, John Hoyt <john.h.hoyt at gmail.com
> <mailto:john.h.hoyt at gmail.com>> wrote:
>
> > Thanks Justin,
> >
> > I changed it to what you listed, but I'm still getting the
> following error:
> >
> > error in /bro/share/bro/site/local.bro, line 95: unknown
> identifier Heartbleed::SSL_Heartbeat_Attack_Success, at or near
> "Heartbleed::SSL_Heartbeat_Attack_Success"
> >
> >
> > On Thu, Apr 10, 2014 at 2:20 PM, Justin Azoff <JAzoff at albany.edu
> <mailto:JAzoff at albany.edu>> wrote:
> > On Thu, Apr 10, 2014 at 02:12:28PM -0400, John Hoyt wrote:
> > > I'm attempting to add an email alert for these, but I'm
> getting an error. This
> > > is my first time attempting this, so I may have something
> wrong with syntax.
> > >
> > > Here is what I've added to local.bro.
> > >
> > >
> > > hook Notice::policy(n: Notice::Info)
> > >
> > > {
> > >
> > > if ( n$note == SSL::SSL_Heartbeat_Attack_Success )
> > >
> > > add n$actions[Notice::ACTION_EMAIL];
> > >
> > > }
> >
> > The heartbleed module is in the Heartbleed namespace so the
> notice is
> >
> > Heartbleed::SSL_Heartbeat_Attack_Success
> >
> > Also, there is a helper for that sort of thing, you can simply:
> >
> > redef Notice::emailed_types += {
> > Heartbleed::SSL_Heartbeat_Attack_Success,
> > };
> >
> > --
> > -- Justin Azoff
> >
> > _______________________________________________
> > Bro mailing list
> > bro at bro-ids.org <mailto:bro at bro-ids.org>
> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
>
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140410/0b51acfc/attachment.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6257 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140410/0b51acfc/attachment.bin
More information about the Bro
mailing list