[Bro] Detecting heartbleed activity

sangdrax8 sangdrax8 at gmail.com
Mon Apr 21 07:50:19 PDT 2014


Alright, I have checked with multiple other websites, and it seems
that the first one I tried isn't detected.  I have seen the notice
from a few other scans.  I'll watch the memory and see if the fix that
was merged keeps it in check.



On Mon, Apr 21, 2014 at 10:32 AM, sangdrax8 <sangdrax8 at gmail.com> wrote:
> I have pulled the latest branch, installed and pushed to my hosts.  I
> loaded the heartbleed as indicated, then I am testing with the
> following site (https://filippo.io/Heartbleed/) so I can try and cause
> a notice.  After running the attack,  I can't seem to get a notice
> log.
>
> So I figure either the attach generated by this site doesn't trigger
> the script to insert a log, or I have something not configured right
> still.  Is there some way I can check to see that I am in fact on this
> branch on all my nodes?  Is there a specific version number or
> something I can verify?
>
> I can see the file in place, and the load statement in my local.bro,
> so not really sure what else to check.  Any assistance would be much
> appreciated.
>
>
>
> On Mon, Apr 21, 2014 at 8:43 AM, Bernhard Amann
> <bernhard at icsi.berkeley.edu> wrote:
>>
>> On Apr 21, 2014, at 5:33 AM, sangdrax8 <sangdrax8 at gmail.com> wrote:
>>
>>> It appears that the master branch was merged into this heartbeat
>>> branch.  Does this by chance include the memleak-fix merge you
>>> mentioned?  Is this possibly a test before merging these changes into
>>> master its self?
>>
>> It does include the memory leak fixes that were mentioned, if you update
>> the branch to the current state these are included.
>>
>>> Also, it has been a while since I did my install, and I can't recall.
>>> If I do this on my master, then run the broctrl install, does it push
>>> the new install to all the nodes?  I know the configurations get
>>> pushed out, but I can't recall if the entire install is pushed, or
>>> just configuration files.
>>
>> The entire installation is pushed out.
>>
>>> Thank you!
>>
>> You are welcome,
>>  Bernhard



More information about the Bro mailing list