[Bro] Detecting heartbleed activity

Bernhard Amann bernhard at ICSI.Berkeley.EDU
Thu Apr 10 15:46:00 PDT 2014 

https://github.com/bro/bro/tree/topic/bernhard/heartbeat - the script is in scripts/policy/protocols/ssl/heartbleed.bro

Make sure to use the linked branch (topic/bernhard/heartbeat)

Bernhard

On Apr 10, 2014, at 3:22 PM, John Babio <jbabio at me.com> wrote:

> Do you have a github with this script in it? Thanks!
> 
> On Apr 10, 2014, at 04:29 PM, John Hoyt <john.h.hoyt at gmail.com> wrote:
> 
>> After implementing it just a little while ago, I've had eight notifications.  Half of which look to be vulnerable servers. 
>> 
>> So, I'd say so far good.  
>> 
>> -John
>> 
>> 
>> On Thu, Apr 10, 2014 at 4:11 PM, Gary Faulkner <gary at doit.wisc.edu> wrote:
>> Just curious how the heartbleed Bro build is running for folks. Any problems?
>> 
>> On 4/10/2014 2:03 PM, John Hoyt wrote:
>>> That did it. :-)
>>> 
>>> Thanks!
>>> 
>>> 
>>> On Thu, Apr 10, 2014 at 2:42 PM, Bernhard Amann <bernhard at icsi.berkeley.edu> wrote:
>>> Did you add that after the line that @loads the heartbleed script?
>>> 
>>> On Apr 10, 2014, at 11:32 AM, John Hoyt <john.h.hoyt at gmail.com> wrote:
>>> 
>>>> Thanks Justin,
>>>> 
>>>> I changed it to what you listed, but I'm still getting the following error:
>>>> 
>>>> error in /bro/share/bro/site/local.bro, line 95: unknown identifier Heartbleed::SSL_Heartbeat_Attack_Success, at or near "Heartbleed::SSL_Heartbeat_Attack_Success"
>>>> 
>>>> 
>>>> On Thu, Apr 10, 2014 at 2:20 PM, Justin Azoff <JAzoff at albany.edu> wrote:
>>>> On Thu, Apr 10, 2014 at 02:12:28PM -0400, John Hoyt wrote:
>>>>> I'm attempting to add an email alert for these, but I'm getting an error.  This
>>>>> is my first time attempting this, so I may have something wrong with syntax.
>>>>> 
>>>>> Here is what I've added to local.bro.
>>>>> 
>>>>> 
>>>>> hook Notice::policy(n: Notice::Info)
>>>>> 
>>>>>        {
>>>>> 
>>>>>        if ( n$note == SSL::SSL_Heartbeat_Attack_Success )
>>>>> 
>>>>>                add n$actions[Notice::ACTION_EMAIL];
>>>>> 
>>>>>        }
>>>> 
>>>> The heartbleed module is in the Heartbleed namespace so the notice is
>>>> 
>>>> Heartbleed::SSL_Heartbeat_Attack_Success
>>>> 
>>>> Also, there is a helper for that sort of thing, you can simply:
>>>> 
>>>> redef Notice::emailed_types += {
>>>>    Heartbleed::SSL_Heartbeat_Attack_Success,
>>>> };
>>>> 
>>>> --
>>>> -- Justin Azoff
>>>> 
>>>> _______________________________________________
>>>> Bro mailing list
>>>> bro at bro-ids.org
>>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>> 
>>> 
>>> 
>>> 
>>> _______________________________________________
>>> Bro mailing list
>>> 
>>> bro at bro-ids.org
>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>> 
>> 
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>> 
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

More information about the Bro mailing list