'Re: [Snort-sigs] OpenSSL TLS DTSL Heartbleed Bug Sig'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       snort-sigs
Subject:    Re: [Snort-sigs] OpenSSL TLS DTSL Heartbleed Bug Sig
From:       "Joel Esler (jesler)" <jesler () cisco ! com>
Date:       2014-04-10 22:28:19
Message-ID: 4CDC98A8-F655-49B4-8284-F1EDD39A8649 () cisco ! com
[Download RAW message or body]

I=92ve removed the rules (instead of updating the blog post every time we u=
pdate the rules for whatever reason) from the blog post and we are putting =
them out in the community rule pack now.

http://www.snort.org/snort-rules#community


--
Joel Esler
Open Source Manager
Threat Intelligence Team Lead
Vulnerability Research Team

On Apr 9, 2014, at 11:37 PM, Nicholas Bogart <nickybzoss@gmail.com<mailto:n=
ickybzoss@gmail.com>> wrote:

I had just about the same one that I posted yesterday.  Joel referenced me =
to the latest on the VRT Blog http://vrt-blog.snort.org/ which has several =
rules covering it in the latest updates.


On Thu, Apr 10, 2014 at 5:07 AM, LIONEL PLAZA <leo240sx@gmail.com<mailto:le=
o240sx@gmail.com>> wrote:
Hello Everyone,

Here's a first take at the OpenSSL Heartbleed sig.  I didn't get a chance t=
o test, due to moving offices and losing access to lab (temporarily).  But =
I figured someone could try it out and refine it.

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "OpenSSL TLS DTL=
S Heartbleed bug CVE-2014-160"; flow:to_server,established; content:"GET"; =
nocase; http_method; content:"|18 03 03 00 40 03|"; byte_test:6; reference:=
"cve,2014-160"; classtype: successful-user; sid:xxx; rev: 1;)

Cheers!
Leo

---------------------------------------------------------------------------=
---
Put Bad Developers to Shame
Dominate Development with Jenkins Continuous Integration
Continuously Automate Build, Test & Deployment
Start a new project now. Try Jenkins in the cloud.
http://p.sf.net/sfu/13600_Cloudbees
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net<mailto:Snort-sigs@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org<http://www.snort.org/>


Please visit http://blog.snort.org<http://blog.snort.org/> for the latest n=
ews about Snort!

---------------------------------------------------------------------------=
---
Put Bad Developers to Shame
Dominate Development with Jenkins Continuous Integration
Continuously Automate Build, Test & Deployment
Start a new project now. Try Jenkins in the cloud.
http://p.sf.net/sfu/13600_Cloudbees________________________________________=
_______
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!


[Attachment #3 (text/html)]

<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=Windows-1252">
</head>
<body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: \
after-white-space;"> I’ve removed the rules (instead of updating the blog post every \
time we update the rules for whatever reason) from the blog post and we are putting \
them out in the community rule pack now. <div><br>
</div>
<div><a href="http://www.snort.org/snort-rules#community">http://www.snort.org/snort-rules#community</a></div>
 <div><br>
</div>
<div><br>
</div>
<div><span style="font-family: 'Lucida Grande';">--</span><br>
<span style="font-family: 'Lucida Grande';"><b>Joel Esler</b></span><br>
<span style="font-family: 'Lucida Grande';">Open Source Manager</span><br>
<span style="font-family: 'Lucida Grande';">Threat Intelligence Team Lead</span><br>
<span style="font-family: 'Lucida Grande';">Vulnerability Research Team</span></div>
<div><font face="Lucida Grande"><br>
</font>
<div>
<div>On Apr 9, 2014, at 11:37 PM, Nicholas Bogart &lt;<a \
href="mailto:nickybzoss@gmail.com">nickybzoss@gmail.com</a>&gt; wrote:</div> <br \
class="Apple-interchange-newline"> <blockquote type="cite">
<div dir="ltr">I had just about the same one that I posted yesterday.&nbsp; Joel \
referenced me to the latest on the VRT Blog <a \
href="http://vrt-blog.snort.org/">http://vrt-blog.snort.org/</a> which has several \
rules covering it in the latest updates.<br> </div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On Thu, Apr 10, 2014 at 5:07 AM, LIONEL PLAZA <span \
dir="ltr"> &lt;<a href="mailto:leo240sx@gmail.com" \
target="_blank">leo240sx@gmail.com</a>&gt;</span> wrote:<br> <blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex"> <div>Hello Everyone,</div>
<div>&nbsp;</div>
<div>Here's a first take at the OpenSSL Heartbleed sig.&nbsp; I didn't get a chance \
to test, due to moving offices and losing access to lab (temporarily).&nbsp; But I \
figured someone could try it out and refine it.</div> <div>&nbsp;</div>
<div>alert tcp $HOME_NET any -&gt; $EXTERNAL_NET $HTTP_PORTS (msg: &quot;OpenSSL TLS \
DTLS Heartbleed bug CVE-2014-160&quot;; flow:to_server,established; \
content:&quot;GET&quot;; nocase; http_method; content:&quot;|18 03 03 00 40 \
03|&quot;; byte_test:6; reference:&quot;cve,2014-160&quot;; classtype:  \
successful-user; sid:xxx; rev: 1;)</div> <div>&nbsp;</div>
<div>Cheers!</div>
<div>Leo</div>
<br>
------------------------------------------------------------------------------<br>
Put Bad Developers to Shame<br>
Dominate Development with Jenkins Continuous Integration<br>
Continuously Automate Build, Test &amp; Deployment<br>
Start a new project now. Try Jenkins in the cloud.<br>
<a href="http://p.sf.net/sfu/13600_Cloudbees" \
target="_blank">http://p.sf.net/sfu/13600_Cloudbees</a><br> \
_______________________________________________<br> Snort-sigs mailing list<br>
<a href="mailto:Snort-sigs@lists.sourceforge.net">Snort-sigs@lists.sourceforge.net</a><br>
 <a href="https://lists.sourceforge.net/lists/listinfo/snort-sigs" \
target="_blank">https://lists.sourceforge.net/lists/listinfo/snort-sigs</a><br> <a \
href="http://www.snort.org/" target="_blank">http://www.snort.org</a><br> <br>
<br>
Please visit <a href="http://blog.snort.org/" \
target="_blank">http://blog.snort.org</a> for the latest news about Snort!<br> \
</blockquote> </div>
<br>
</div>
------------------------------------------------------------------------------<br>
Put Bad Developers to Shame<br>
Dominate Development with Jenkins Continuous Integration<br>
Continuously Automate Build, Test &amp; Deployment <br>
Start a new project now. Try Jenkins in the cloud.<br>
<a href="http://p.sf.net/sfu/13600_Cloudbees__________________________________________ \
_____">http://p.sf.net/sfu/13600_Cloudbees_______________________________________________</a><br>
 Snort-sigs mailing list<br>
Snort-sigs@lists.sourceforge.net<br>
https://lists.sourceforge.net/lists/listinfo/snort-sigs<br>
http://www.snort.org<br>
<br>
<br>
Please visit http://blog.snort.org for the latest news about Snort!</blockquote>
</div>
<br>
</div>
</body>
</html>


[Attachment #4 (--===============3660918792311906602==)]
------------------------------------------------------------------------------
Put Bad Developers to Shame
Dominate Development with Jenkins Continuous Integration
Continuously Automate Build, Test & Deployment 
Start a new project now. Try Jenkins in the cloud.
http://p.sf.net/sfu/13600_Cloudbees

_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic