[Bro] Detecting heartbleed activity

Gary Faulkner gary at doit.wisc.edu
Thu Apr 10 16:54:00 PDT 2014 

I may have experienced something similar; although I only have 64G of 
RAM on my worker node at present so my workers would reach about 7-8G 
committed memory within 5-15 minutes before being OOM-killed. I've had 
memory issues in the past on 2.2-release, so I can't rule out my 
environment; although I've been problem free for the last month after 
moving to 2.2-184, so I just went back to that. When it was up and 
running I got a lot of good confirmed detections though.

Regards

On 4/10/2014 6:19 PM, Alex Waher wrote:
> I had the heartbeat branch running for a few hours (very successfully
> detecting activity!) and noticed it eventually had the manager worker
> consuming +70gb of memory. Wasn't sure if the leak was from the heartbeat
> capability itself or something else along the current git repo.. ymmv!
>
>
> On Thu, Apr 10, 2014 at 3:46 PM, Bernhard Amann
> <bernhard at icsi.berkeley.edu>wrote:
>
>> https://github.com/bro/bro/tree/topic/bernhard/heartbeat - the script is
>> in scripts/policy/protocols/ssl/heartbleed.bro
>>
>> Make sure to use the linked branch (topic/bernhard/heartbeat)
>>
>> Bernhard
>>
>> On Apr 10, 2014, at 3:22 PM, John Babio <jbabio at me.com> wrote:
>>
>>> Do you have a github with this script in it? Thanks!
>>>
>>> On Apr 10, 2014, at 04:29 PM, John Hoyt <john.h.hoyt at gmail.com> wrote:
>>>
>>>> After implementing it just a little while ago, I've had eight
>> notifications.  Half of which look to be vulnerable servers.
>>>> So, I'd say so far good.
>>>>
>>>> -John
>>>>
>>>>
>>>> On Thu, Apr 10, 2014 at 4:11 PM, Gary Faulkner <gary at doit.wisc.edu>
>> wrote:
>>>> Just curious how the heartbleed Bro build is running for folks. Any
>> problems?
>>>> On 4/10/2014 2:03 PM, John Hoyt wrote:
>>>>> That did it. :-)
>>>>>
>>>>> Thanks!
>>>>>
>>>>>
>>>>> On Thu, Apr 10, 2014 at 2:42 PM, Bernhard Amann <
>> bernhard at icsi.berkeley.edu> wrote:
>>>>> Did you add that after the line that @loads the heartbleed script?
>>>>>
>>>>> On Apr 10, 2014, at 11:32 AM, John Hoyt <john.h.hoyt at gmail.com> wrote:
>>>>>
>>>>>> Thanks Justin,
>>>>>>
>>>>>> I changed it to what you listed, but I'm still getting the following
>> error:
>>>>>> error in /bro/share/bro/site/local.bro, line 95: unknown identifier
>> Heartbleed::SSL_Heartbeat_Attack_Success, at or near
>> "Heartbleed::SSL_Heartbeat_Attack_Success"
>>>>>>
>>>>>> On Thu, Apr 10, 2014 at 2:20 PM, Justin Azoff <JAzoff at albany.edu>
>> wrote:
>>>>>> On Thu, Apr 10, 2014 at 02:12:28PM -0400, John Hoyt wrote:
>>>>>>> I'm attempting to add an email alert for these, but I'm getting an
>> error.  This
>>>>>>> is my first time attempting this, so I may have something wrong with
>> syntax.
>>>>>>> Here is what I've added to local.bro.
>>>>>>>
>>>>>>>
>>>>>>> hook Notice::policy(n: Notice::Info)
>>>>>>>
>>>>>>>         {
>>>>>>>
>>>>>>>         if ( n$note == SSL::SSL_Heartbeat_Attack_Success )
>>>>>>>
>>>>>>>                 add n$actions[Notice::ACTION_EMAIL];
>>>>>>>
>>>>>>>         }
>>>>>> The heartbleed module is in the Heartbleed namespace so the notice is
>>>>>>
>>>>>> Heartbleed::SSL_Heartbeat_Attack_Success
>>>>>>
>>>>>> Also, there is a helper for that sort of thing, you can simply:
>>>>>>
>>>>>> redef Notice::emailed_types += {
>>>>>>     Heartbleed::SSL_Heartbeat_Attack_Success,
>>>>>> };
>>>>>>
>>>>>> --
>>>>>> -- Justin Azoff
>>>>>>
>>>>>> _______________________________________________
>>>>>> Bro mailing list
>>>>>> bro at bro-ids.org
>>>>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Bro mailing list
>>>>>
>>>>> bro at bro-ids.org
>>>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>>>
>>>> _______________________________________________
>>>> Bro mailing list
>>>> bro at bro-ids.org
>>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>>>
>>>> _______________________________________________
>>>> Bro mailing list
>>>> bro at bro-ids.org
>>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>> _______________________________________________
>>> Bro mailing list
>>> bro at bro-ids.org
>>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>
>> _______________________________________________
>> Bro mailing list
>> bro at bro-ids.org
>> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>>
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro

-- 
Gary Faulkner

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20140410/ee3d6e57/attachment.html

More information about the Bro mailing list