By now you should have all heard about the Heartbleed flaw:
I just spoke to the Live content team and they are working on creating an application rule to detect Heartbleed activity. Hopefully it will be available in the next 24 hours.
- Community Thread
- Forum Thread
- RSA NetWitness
- RSA NetWitness Platform
I think it will be a risk.warning- "heartbleed_data_leaked"
Some simple application rules on the decoders can help detect vulnerable versions of Open SSL. It does this by reading server banners when someone connects to a monitored web service via the HTTP Protocol. However, this is an SSL issue, and webhosts that allow only SSL will not trigger detection via these rules. This is a stop-gap, passive vulnerability application rule and should not be relied upon in place of a rigorous, active vulnerability scanning service.
One rule is:
server contains 'openssl/1.0.1e','openssl/1.0.1f','openssl/1.0.1a','openssl/1.0.1b','openssl/1.0.1c','openssl/1.0.1d'
Note that this issue is a patching issue. SA may help in identifying and prioritizing which hosts to patch first, but it is not a substitute to a rigorous scanning and patching effort. Good luck to all those working long hours getting fixes in place.
Just uploaded a pcap of a heartbleed attack with the new TLS and it does not appear to be catching it 😕
Doesn't even show that it used TLS when in wireshark I can see that it did.
Just spoke to the gentleman who created the TLS parsers and would very much like to get that pcap if at all possible. Our first run parsers were a bit too specific in what they were attempting to recognize in regards to Heartbleed, so we opened them up a bit. This may or may not have anything to do with your results, but that certainly isn't to say that you haven't captured an attack scenario we haven't seen. We can always improve, however we need to know exactly what is being missed.