FBI Snort Signatures for Heartbleed

Monday, April 14, 2014 @ 03:04 PM gHale


The alerts continue about the vulnerability that exists in the Open Secure Socket Layer (SSL) implementation of the Heartbeat extension. This time the FBI put together a series of Snort signatures — open source network intrusion prevention and detection system (IDS/IPS) developed by Sourcefire — that may help detect exploitation.

Exploitation may result in a leak of memory contents leading to the compromise of encryption keys, authentication keys, user credentials or other data from Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS) clients and servers.

RELATED STORIES
Update to OpenSSL Heartbleed Hole
Heartbleed Alert from ICS-CERT
Bypassing Heartbleed Bug
Flaw Found in TLS Protocol

The affected versions of OpenSSL software are versions 1.0.1 through 1.0.1f. Versions prior to 1.0.1 do not have the issue and versions 1.0.1g and later have implemented a fix for the vulnerability.

The following Snort signatures ended up developed and tested to detect attempted exploitation of the vulnerability by known open source exploitation techniques. They are bi-directional to detect client-to-server and server-to-client requests. These signatures should immediately end up implemented at lower levels as well.

Snort Signatures:
alert tcp any any <> any [443,465,563,636,695,898,989,990,992,993,994,995,2083,2087,2096,2484,8443,8883,9091](content:”|18 03 00|”; depth: 3; content:”|01|”; distance: 2; within: 1;content:!”|00|”; within: 1; msg: “SSLv3 Malicious Heartbleed RequestV2”; sid: 1;)

alert tcp any any <> any [443,465,563,636,695,898,989,990,992,993,994,995,2083,2087,2096,2484,8443,8883,9091](content:”|18 03 01|”; depth: 3; content:”|01|”; distance: 2; within: 1;content:!”|00|”; within: 1; msg: “TLSv1 Malicious Heartbleed RequestV2”; sid: 2;)

alert tcp any any <> any [443,465,563,636,695,898,989,990,992,993,994,995,2083,2087,2096,2484,8443,8883,9091](content:”|18 03 02|”; depth: 3; content:”|01|”; distance: 2; within: 1;content:!”|00|”; within: 1; msg: “TLSv1.1 Malicious Heartbleed RequestV2”; sid: 3;)

alert tcp any any <> any [443,465,563,636,695,898,989,990,992,993,994,995,2083,2087,2096,2484,8443,8883,9091](content:”|18 03 03|”; depth: 3; content:”|01|”; distance: 2; within: 1;content:!”|00|”; within: 1; msg: “TLSv1.2Malicious Heartbleed RequestV2”; sid: 4;)



Leave a Reply

You must be logged in to post a comment.