[Bro] Detecting heartbleed activity

John Hoyt john.h.hoyt at gmail.com
Thu Apr 10 13:29:27 PDT 2014 

After implementing it just a little while ago, I've had eight
notifications.  Half of which look to be vulnerable servers.

So, I'd say so far good.

-John


On Thu, Apr 10, 2014 at 4:11 PM, Gary Faulkner <gary at doit.wisc.edu> wrote:

>  Just curious how the heartbleed Bro build is running for folks. Any
> problems?
>
>  On 4/10/2014 2:03 PM, John Hoyt wrote:
>
> That did it. :-)
>
>  Thanks!
>
>
> On Thu, Apr 10, 2014 at 2:42 PM, Bernhard Amann <
> bernhard at icsi.berkeley.edu> wrote:
>
>> Did you add that after the line that @loads the heartbleed script?
>>
>> On Apr 10, 2014, at 11:32 AM, John Hoyt <john.h.hoyt at gmail.com> wrote:
>>
>> > Thanks Justin,
>> >
>> > I changed it to what you listed, but I'm still getting the following
>> error:
>> >
>> > error in /bro/share/bro/site/local.bro, line 95: unknown identifier
>> Heartbleed::SSL_Heartbeat_Attack_Success, at or near
>> "Heartbleed::SSL_Heartbeat_Attack_Success"
>> >
>> >
>> > On Thu, Apr 10, 2014 at 2:20 PM, Justin Azoff <JAzoff at albany.edu>
>> wrote:
>> > On Thu, Apr 10, 2014 at 02:12:28PM -0400, John Hoyt wrote:
>> > > I'm attempting to add an email alert for these, but I'm getting an
>> error.  This
>> > > is my first time attempting this, so I may have something wrong with
>> syntax.
>> > >
>> > > Here is what I've added to local.bro.
>> > >
>> > >
>> > > hook Notice::policy(n: Notice::Info)
>> > >
>> > >         {
>> > >
>> > >         if ( n$note == SSL::SSL_Heartbeat_Attack_Success )
>> > >
>> > >                 add n$actions[Notice::ACTION_EMAIL];
>> > >
>> > >         }
>> >
>> > The heartbleed module is in the Heartbleed namespace so the notice is
>> >
>> > Heartbleed::SSL_Heartbeat_Attack_Success
>> >
>> > Also, there is a helper for that sort of thing, you can simply:
>> >
>> > redef Notice::emailed_types += {
>> >     Heartbleed::SSL_Heartbeat_Attack_Success,
>> > };
>> >
>> > --
>> > -- Justin Azoff
>> >
>>   > _______________________________________________
>> > Bro mailing list
>> > bro at bro-ids.org
>> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>
>>
>
>
> _______________________________________________
> Bro mailing listbro at bro-ids.orghttp://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140410/aac47d7d/attachment.html

More information about the Bro mailing list