[prev in list] [next in list] [prev in thread] [next in thread]
List: snort-sigs
Subject: Re: [Snort-sigs] OpenSSL TLS DTSL Heartbleed Bug Sig
From: "Joel Esler (jesler)" <jesler () cisco ! com>
Date: 2014-04-10 22:28:19
Message-ID: 4CDC98A8-F655-49B4-8284-F1EDD39A8649 () cisco ! com
[Download RAW message or body]
I=92ve removed the rules (instead of updating the blog post every time we u=
pdate the rules for whatever reason) from the blog post and we are putting =
them out in the community rule pack now.
http://www.snort.org/snort-rules#community
--
Joel Esler
Open Source Manager
Threat Intelligence Team Lead
Vulnerability Research Team
On Apr 9, 2014, at 11:37 PM, Nicholas Bogart <nickybzoss@gmail.com<mailto:n=
ickybzoss@gmail.com>> wrote:
I had just about the same one that I posted yesterday. Joel referenced me =
to the latest on the VRT Blog http://vrt-blog.snort.org/ which has several =
rules covering it in the latest updates.
On Thu, Apr 10, 2014 at 5:07 AM, LIONEL PLAZA <leo240sx@gmail.com<mailto:le=
o240sx@gmail.com>> wrote:
Hello Everyone,
Here's a first take at the OpenSSL Heartbleed sig. I didn't get a chance t=
o test, due to moving offices and losing access to lab (temporarily). But =
I figured someone could try it out and refine it.
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "OpenSSL TLS DTL=
S Heartbleed bug CVE-2014-160"; flow:to_server,established; content:"GET"; =
nocase; http_method; content:"|18 03 03 00 40 03|"; byte_test:6; reference:=
"cve,2014-160"; classtype: successful-user; sid:xxx; rev: 1;)
Cheers!
Leo
---------------------------------------------------------------------------=
---
Put Bad Developers to Shame
Dominate Development with Jenkins Continuous Integration
Continuously Automate Build, Test & Deployment
Start a new project now. Try Jenkins in the cloud.
http://p.sf.net/sfu/13600_Cloudbees
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net<mailto:Snort-sigs@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org<http://www.snort.org/>
Please visit http://blog.snort.org<http://blog.snort.org/> for the latest n=
ews about Snort!
---------------------------------------------------------------------------=
---
Put Bad Developers to Shame
Dominate Development with Jenkins Continuous Integration
Continuously Automate Build, Test & Deployment
Start a new project now. Try Jenkins in the cloud.
http://p.sf.net/sfu/13600_Cloudbees________________________________________=
_______
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org
Please visit http://blog.snort.org for the latest news about Snort!
[Attachment #3 (text/html)]
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=Windows-1252">
</head>
<body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: \
after-white-space;"> I’ve removed the rules (instead of updating the blog post every \
time we update the rules for whatever reason) from the blog post and we are putting \
them out in the community rule pack now. <div><br>
</div>
<div><a href="http://www.snort.org/snort-rules#community">http://www.snort.org/snort-rules#community</a></div>
<div><br>
</div>
<div><br>
</div>
<div><span style="font-family: 'Lucida Grande';">--</span><br>
<span style="font-family: 'Lucida Grande';"><b>Joel Esler</b></span><br>
<span style="font-family: 'Lucida Grande';">Open Source Manager</span><br>
<span style="font-family: 'Lucida Grande';">Threat Intelligence Team Lead</span><br>
<span style="font-family: 'Lucida Grande';">Vulnerability Research Team</span></div>
<div><font face="Lucida Grande"><br>
</font>
<div>
<div>On Apr 9, 2014, at 11:37 PM, Nicholas Bogart <<a \
href="mailto:nickybzoss@gmail.com">nickybzoss@gmail.com</a>> wrote:</div> <br \
class="Apple-interchange-newline"> <blockquote type="cite">
<div dir="ltr">I had just about the same one that I posted yesterday. Joel \
referenced me to the latest on the VRT Blog <a \
href="http://vrt-blog.snort.org/">http://vrt-blog.snort.org/</a> which has several \
rules covering it in the latest updates.<br> </div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On Thu, Apr 10, 2014 at 5:07 AM, LIONEL PLAZA <span \
dir="ltr"> <<a href="mailto:leo240sx@gmail.com" \
target="_blank">leo240sx@gmail.com</a>></span> wrote:<br> <blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex"> <div>Hello Everyone,</div>
<div> </div>
<div>Here's a first take at the OpenSSL Heartbleed sig. I didn't get a chance \
to test, due to moving offices and losing access to lab (temporarily). But I \
figured someone could try it out and refine it.</div> <div> </div>
<div>alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg: "OpenSSL TLS \
DTLS Heartbleed bug CVE-2014-160"; flow:to_server,established; \
content:"GET"; nocase; http_method; content:"|18 03 03 00 40 \
03|"; byte_test:6; reference:"cve,2014-160"; classtype: \
successful-user; sid:xxx; rev: 1;)</div> <div> </div>
<div>Cheers!</div>
<div>Leo</div>
<br>
------------------------------------------------------------------------------<br>
Put Bad Developers to Shame<br>
Dominate Development with Jenkins Continuous Integration<br>
Continuously Automate Build, Test & Deployment<br>
Start a new project now. Try Jenkins in the cloud.<br>
<a href="http://p.sf.net/sfu/13600_Cloudbees" \
target="_blank">http://p.sf.net/sfu/13600_Cloudbees</a><br> \
_______________________________________________<br> Snort-sigs mailing list<br>
<a href="mailto:Snort-sigs@lists.sourceforge.net">Snort-sigs@lists.sourceforge.net</a><br>
<a href="https://lists.sourceforge.net/lists/listinfo/snort-sigs" \
target="_blank">https://lists.sourceforge.net/lists/listinfo/snort-sigs</a><br> <a \
href="http://www.snort.org/" target="_blank">http://www.snort.org</a><br> <br>
<br>
Please visit <a href="http://blog.snort.org/" \
target="_blank">http://blog.snort.org</a> for the latest news about Snort!<br> \
</blockquote> </div>
<br>
</div>
------------------------------------------------------------------------------<br>
Put Bad Developers to Shame<br>
Dominate Development with Jenkins Continuous Integration<br>
Continuously Automate Build, Test & Deployment <br>
Start a new project now. Try Jenkins in the cloud.<br>
<a href="http://p.sf.net/sfu/13600_Cloudbees__________________________________________ \
_____">http://p.sf.net/sfu/13600_Cloudbees_______________________________________________</a><br>
Snort-sigs mailing list<br>
Snort-sigs@lists.sourceforge.net<br>
https://lists.sourceforge.net/lists/listinfo/snort-sigs<br>
http://www.snort.org<br>
<br>
<br>
Please visit http://blog.snort.org for the latest news about Snort!</blockquote>
</div>
<br>
</div>
</body>
</html>
[Attachment #4 (--===============3660918792311906602==)]
------------------------------------------------------------------------------
Put Bad Developers to Shame
Dominate Development with Jenkins Continuous Integration
Continuously Automate Build, Test & Deployment
Start a new project now. Try Jenkins in the cloud.
http://p.sf.net/sfu/13600_Cloudbees
_______________________________________________
Snort-sigs mailing list
Snort-sigs@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org
Please visit http://blog.snort.org for the latest news about Snort!
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic