[Emerging-Sigs] The Heartbleed Bug

Will Metcalf wmetcalf at emergingthreatspro.com
Tue Apr 8 06:14:31 HADT 2014


Going to roll these out for now.. Can test this later, but want something
out there.

alert tcp any any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Malformed
HeartBeat Request"; flow:established,to_server; content:"|18 03|";
depth:2; byte_test:1,<,4,2; content:"|01|"; offset:5; depth:1;
byte_extract:2,3,record_len; byte_test:2,>,2,3;
byte_test:2,>,record_len,6; threshold:type limit,track by_src,count
1,seconds 120; flowbits:set,ET.MalformedTLSHB;
reference:cve,2014-0160;
reference:url,blog.inliniac.net/2014/04/08/detecting-openssl-heartbleed-with-suricata/;
reference:url,heartbleed.com/;
reference:url,blog.fox-it.com/2014/04/08/openssl-heartbleed-bug-live-blog/;
classtype:bad-unknown; sid:2018372; rev:1;)


alert tcp $HOME_NET any -> any any (msg:"ET CURRENT_EVENTS Malformed
HeartBeat Response"; flow:established,from_server;
flowbits:isset,ET.MalformedTLSHB; content:"|18 03|"; depth:2;
byte_test:1,<,4,2; byte_test:2,>,200,3; threshold:type limit,track
by_src,count 1,seconds 120; reference:cve,2014-0160;
reference:url,blog.inliniac.net/2014/04/08/detecting-openssl-heartbleed-with-suricata/;
reference:url,heartbleed.com/;
reference:url,blog.fox-it.com/2014/04/08/openssl-heartbleed-bug-live-blog/;
classtype:bad-unknown; sid:2018373; rev:1;)




On Tue, Apr 8, 2014 at 10:04 AM, Victor Julien <lists at inliniac.net> wrote:

> On 04/08/2014 04:38 PM, Will Metcalf wrote:
> > Correct?
> >
> > Yep that is the idea.
> >
> > The TLS record length will include the 1 byte type and the 2 byte length
> > field. Wouldn't that leave 3 bytes?
> > Not sure what you are asking here.. I can check that the record len is
> > gt 2 if that is what you are suggesting.
> >
> > My test pkts break down like this..
> >
> > 18 03 02
> > Record type and TLS version
> >
> > |00 03|
> > Record Len
> >
> > |01|
> > HB type
> >
> > |40 00|
> > HB len
>
> If you have:
>
> TLS 1.1    len 4   hb   len 3   data
> 18 03 02 | 00 04 | 01 | 00 03 | AA
>
> The TLS len is 4, this matches payload len
> The HB len is 3, which is smaller than 4, so the rule considers it valid.
> There is only one data byte. So vuln openssl will still read 2 extra as
> it doesn't check the hb len first.
>
> If think to be fully reliable you will need to consider that the 3 HB
> header bytes are not part of hb_len. Which is why my Lua script has:
>
>     if hb_len+3 > len then
>         --bad
>
> So I think this rule can be bypassed if the data leakage is limited to 3
> bytes. Not sure if that would still be useful, as it may be very hard to
> find out what those 3 bytes may mean.
>
> --
> ---------------------------------------------
> Victor Julien
> http://www.inliniac.net/
> PGP: http://www.inliniac.net/victorjulien.asc
> ---------------------------------------------
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20140408/51450a9c/attachment-0001.html>


More information about the Emerging-sigs mailing list