[Bro] Detecting heartbleed activity

John Babio jbabio at me.com
Thu Apr 10 15:22:49 PDT 2014 

Do you have a github with this script in it? Thanks!

On Apr 10, 2014, at 04:29 PM, John Hoyt <john.h.hoyt at gmail.com> wrote:

> After implementing it just a little while ago, I've had eight notifications.  Half of which look to be vulnerable servers. 
>
> So, I'd say so far good.  
>
> -John
>
>
> On Thu, Apr 10, 2014 at 4:11 PM, Gary Faulkner <gary at doit.wisc.edu> wrote:
>
>     Just curious how the heartbleed Bro build is running for folks. Any problems?
>
>     On 4/10/2014 2:03 PM, John Hoyt wrote:
>>     That did it. :-)
>>
>>     Thanks!
>>
>>
>>     On Thu, Apr 10, 2014 at 2:42 PM, Bernhard Amann <bernhard at icsi.berkeley.edu> wrote:
>>
>>         Did you add that after the line that @loads the heartbleed script?
>>
>>         On Apr 10, 2014, at 11:32 AM, John Hoyt <john.h.hoyt at gmail.com> wrote:
>>
>>         > Thanks Justin,
>>         >
>>         > I changed it to what you listed, but I'm still getting the following error:
>>         >
>>         > error in /bro/share/bro/site/local.bro, line 95: unknown identifier Heartbleed::SSL_Heartbeat_Attack_Success, at or near "Heartbleed::SSL_Heartbeat_Attack_Success"
>>         >
>>         >
>>         > On Thu, Apr 10, 2014 at 2:20 PM, Justin Azoff <JAzoff at albany.edu> wrote:
>>         > On Thu, Apr 10, 2014 at 02:12:28PM -0400, John Hoyt wrote:
>>         > > I'm attempting to add an email alert for these, but I'm getting an error.  This
>>         > > is my first time attempting this, so I may have something wrong with syntax.
>>         > >
>>         > > Here is what I've added to local.bro.
>>         > >
>>         > >
>>         > > hook Notice::policy(n: Notice::Info)
>>         > >
>>         > >         {
>>         > >
>>         > >         if ( n$note == SSL::SSL_Heartbeat_Attack_Success )
>>         > >
>>         > >                 add n$actions[Notice::ACTION_EMAIL];
>>         > >
>>         > >         }
>>         >
>>         > The heartbleed module is in the Heartbleed namespace so the notice is
>>         >
>>         > Heartbleed::SSL_Heartbeat_Attack_Success
>>         >
>>         > Also, there is a helper for that sort of thing, you can simply:
>>         >
>>         > redef Notice::emailed_types += {
>>         >     Heartbleed::SSL_Heartbeat_Attack_Success,
>>         > };
>>         >
>>         > --
>>         > -- Justin Azoff
>>         >
>>         > _______________________________________________
>>         > Bro mailing list
>>         > bro at bro-ids.org
>>         > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>
>>
>>
>>
>>     _______________________________________________
>>     Bro mailing list
>>     bro at bro-ids.org
>>     http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
>
>     _______________________________________________
>     Bro mailing list
>     bro at bro-ids.org
>     http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140410/0567d65a/attachment.html

More information about the Bro mailing list