[Bro] Detecting heartbleed activity
John Babio
jbabio at me.com
Thu Apr 10 15:22:49 PDT 2014
Do you have a github with this script in it? Thanks!
On Apr 10, 2014, at 04:29 PM, John Hoyt <john.h.hoyt at gmail.com> wrote:
> After implementing it just a little while ago, I've had eight notifications. Half of which look to be vulnerable servers.
>
> So, I'd say so far good.
>
> -John
>
>
> On Thu, Apr 10, 2014 at 4:11 PM, Gary Faulkner <gary at doit.wisc.edu> wrote:
>
> Just curious how the heartbleed Bro build is running for folks. Any problems?
>
> On 4/10/2014 2:03 PM, John Hoyt wrote:
>> That did it. :-)
>>
>> Thanks!
>>
>>
>> On Thu, Apr 10, 2014 at 2:42 PM, Bernhard Amann <bernhard at icsi.berkeley.edu> wrote:
>>
>> Did you add that after the line that @loads the heartbleed script?
>>
>> On Apr 10, 2014, at 11:32 AM, John Hoyt <john.h.hoyt at gmail.com> wrote:
>>
>> > Thanks Justin,
>> >
>> > I changed it to what you listed, but I'm still getting the following error:
>> >
>> > error in /bro/share/bro/site/local.bro, line 95: unknown identifier Heartbleed::SSL_Heartbeat_Attack_Success, at or near "Heartbleed::SSL_Heartbeat_Attack_Success"
>> >
>> >
>> > On Thu, Apr 10, 2014 at 2:20 PM, Justin Azoff <JAzoff at albany.edu> wrote:
>> > On Thu, Apr 10, 2014 at 02:12:28PM -0400, John Hoyt wrote:
>> > > I'm attempting to add an email alert for these, but I'm getting an error. This
>> > > is my first time attempting this, so I may have something wrong with syntax.
>> > >
>> > > Here is what I've added to local.bro.
>> > >
>> > >
>> > > hook Notice::policy(n: Notice::Info)
>> > >
>> > > {
>> > >
>> > > if ( n$note == SSL::SSL_Heartbeat_Attack_Success )
>> > >
>> > > add n$actions[Notice::ACTION_EMAIL];
>> > >
>> > > }
>> >
>> > The heartbleed module is in the Heartbleed namespace so the notice is
>> >
>> > Heartbleed::SSL_Heartbeat_Attack_Success
>> >
>> > Also, there is a helper for that sort of thing, you can simply:
>> >
>> > redef Notice::emailed_types += {
>> > Heartbleed::SSL_Heartbeat_Attack_Success,
>> > };
>> >
>> > --
>> > -- Justin Azoff
>> >
>> > _______________________________________________
>> > Bro mailing list
>> > bro at bro-ids.org
>> > http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>
>>
>>
>>
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140410/0567d65a/attachment.html
More information about the Bro
mailing list