[Emerging-Sigs] Emergency Heartbleed signatures

Francis Trudeau ftrudeau at emergingthreats.net
Tue Apr 8 06:39:30 EDT 2014


All,

Attached you will find signatures for the recent SSL Heartbleed vuln.

These sigs will be going out via our normal means shortly.  Please use
these until then if needed.

Thanks.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20140408/851d6f6b/attachment.html>
-------------- next part --------------
alert tcp any any -> $HOME_NET any (msg:"ET CURRENT_EVENTS Malformed HeartBeat Request"; flow:established,to_server; content:"|18 03|"; depth:2; byte_test:1,<,4,2; content:"|01|"; offset:5; depth:1; byte_extract:2,3,record_len; byte_test:2,>,2,3; byte_test:2,>,record_len,6; threshold:type limit,track by_src,count 1,seconds 120; flowbits:set,ET.MalformedTLSHB; reference:cve,2014-0160; reference:url,blog.inliniac.net/2014/04/08/detecting-openssl-heartbleed-with-suricata/; reference:url,heartbleed.com/; reference:url,blog.fox-it.com/2014/04/08/openssl-heartbleed-bug-live-blog/; classtype:bad-unknown; sid:2018372; rev:1;)

alert tcp $HOME_NET any -> any any (msg:"ET CURRENT_EVENTS Malformed HeartBeat Response"; flow:established,from_server; flowbits:isset,ET.MalformedTLSHB; content:"|18 03|"; depth:2; byte_test:1,<,4,2; byte_test:2,>,200,3; threshold:type limit,track by_src,count 1,seconds 120; reference:cve,2014-0160; reference:url,blog.inliniac.net/2014/04/08/detecting-openssl-heartbleed-with-suricata/; reference:url,heartbleed.com; reference:url,blog.fox-it.com/2014/04/08/openssl-heartbleed-bug-live-blog/; classtype:bad-unknown; sid:2018373; rev:1;)



More information about the Emerging-sigs mailing list