[Bro] Detecting heartbleed activity
Bernhard Amann
bernhard at ICSI.Berkeley.EDU
Thu Apr 10 15:46:00 PDT 2014
https://github.com/bro/bro/tree/topic/bernhard/heartbeat - the script is in scripts/policy/protocols/ssl/heartbleed.bro
Make sure to use the linked branch (topic/bernhard/heartbeat)
Bernhard
On Apr 10, 2014, at 3:22 PM, John Babio <jbabio at me.com> wrote:
> Do you have a github with this script in it? Thanks!
>
> On Apr 10, 2014, at 04:29 PM, John Hoyt <john.h.hoyt at gmail.com> wrote:
>
>> After implementing it just a little while ago, I've had eight notifications. Half of which look to be vulnerable servers.
>>
>> So, I'd say so far good.
>>
>> -John
>>
>>
>> On Thu, Apr 10, 2014 at 4:11 PM, Gary Faulkner <gary at doit.wisc.edu> wrote:
>> Just curious how the heartbleed Bro build is running for folks. Any problems?
>>
>> On 4/10/2014 2:03 PM, John Hoyt wrote:
>>> That did it. :-)
>>>
>>> Thanks!
>>>
>>>
>>> On Thu, Apr 10, 2014 at 2:42 PM, Bernhard Amann <bernhard at icsi.berkeley.edu> wrote:
>>> Did you add that after the line that @loads the heartbleed script?
>>>
>>> On Apr 10, 2014, at 11:32 AM, John Hoyt <john.h.hoyt at gmail.com> wrote:
>>>
>>>> Thanks Justin,
>>>>
>>>> I changed it to what you listed, but I'm still getting the following error:
>>>>
>>>> error in /bro/share/bro/site/local.bro, line 95: unknown identifier Heartbleed::SSL_Heartbeat_Attack_Success, at or near "Heartbleed::SSL_Heartbeat_Attack_Success"
>>>>
>>>>
>>>> On Thu, Apr 10, 2014 at 2:20 PM, Justin Azoff <JAzoff at albany.edu> wrote:
>>>> On Thu, Apr 10, 2014 at 02:12:28PM -0400, John Hoyt wrote:
>>>>> I'm attempting to add an email alert for these, but I'm getting an error. This
>>>>> is my first time attempting this, so I may have something wrong with syntax.
>>>>>
>>>>> Here is what I've added to local.bro.
>>>>>
>>>>>
>>>>> hook Notice::policy(n: Notice::Info)
>>>>>
>>>>> {
>>>>>
>>>>> if ( n$note == SSL::SSL_Heartbeat_Attack_Success )
>>>>>
>>>>> add n$actions[Notice::ACTION_EMAIL];
>>>>>
>>>>> }
>>>>
>>>> The heartbleed module is in the Heartbleed namespace so the notice is
>>>>
>>>> Heartbleed::SSL_Heartbeat_Attack_Success
>>>>
>>>> Also, there is a helper for that sort of thing, you can simply:
>>>>
>>>> redef Notice::emailed_types += {
>>>> Heartbleed::SSL_Heartbeat_Attack_Success,
>>>> };
>>>>
>>>> --
>>>> -- Justin Azoff
>>>>
>>>> _______________________________________________
>>>> Bro mailing list
>>>> bro at bro-ids.org
>>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> Bro mailing list
>>>
>>> bro at bro-ids.org
>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>
>>
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
More information about the Bro
mailing list