Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-14 12:38:20 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

polish script and probably detect encrypted attacks too.

Browse source
This commit is contained in:
Bernhard Amann 2014-04-08 11:19:30 -07:00
parent 335a30b08f
commit c41810a337
1 changed files with 60 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

65
scripts/policy/protocols/ssl/heartbleed.bro
View file

@ -1,9 +1,11 @@
module Heartbleed; module Heartbleed;
redef record SSL::Info += { redef record SSL::Info += {
# last_originator_heartbeat_request_size: count &optional; last_originator_heartbeat_request_size: count &optional;
# originator_heartbeats: count &default=0; last_responder_heartbeat_request_size: count &optional;
# responder_heartbeats: count &default=0; originator_heartbeats: count &default=0;
responder_heartbeats: count &default=0;
heartbleed_detected: bool &default=F; heartbleed_detected: bool &default=F;
}; };
@ -11,8 +13,14 @@ export {
redef enum Notice::Type += { redef enum Notice::Type += {
## Indicates that a host performing a heartbleed attack. ## Indicates that a host performing a heartbleed attack.
SSL_Heartbeat_Attack, SSL_Heartbeat_Attack,
## Indicates that a host performing a heartbleed attack was probably successful. ## Indicates that a host performing a heartbleed attack was successful.
SSL_Heartbeat_Attack_Success, SSL_Heartbeat_Attack_Success,
## Indivcates that a host performing a heartbleed attack after encryption was started was probably successful
SSL_Heartbeat_Encrypted_Attack_Success,
## Indicates we saw heartbeet requests with odd length. Probably an attack.
SSL_Heartbeat_Odd_Length,
## Indicates we saw many heartbeat requests without an reply. Might be an attack.
SSL_Heartbeat_Many_Requests
}; };
} }
@ -20,7 +28,6 @@ event ssl_heartbeat(c: connection, is_orig: bool, length: count, heartbeat_type:
{ {
if ( heartbeat_type == 1 ) if ( heartbeat_type == 1 )
{ {
local checklength: count = (length<(3+16)) ? length : (length - 3 - 16); local checklength: count = (length<(3+16)) ? length : (length - 3 - 16);
@ -42,3 +49,51 @@ event ssl_heartbeat(c: connection, is_orig: bool, length: count, heartbeat_type:
]); ]);
} }
} }
event ssl_encrypted_heartbeat(c: connection, is_orig: bool, length: count)
{
if ( is_orig )
++c$ssl$originator_heartbeats;
else
++c$ssl$responder_heartbeats;
if ( c$ssl$originator_heartbeats > c$ssl$responder_heartbeats + 3 )
NOTICE([$note=SSL_Heartbeat_Many_Requests,
$msg="Seeing more than 3 heartbeat requests without replies from server. Possible attack?",
$conn=c
]);
if ( is_orig && length < 19 )
NOTICE([$note=SSL_Heartbeat_Odd_Length,
$msg="Heartbeat message smaller than minimum length. Probable attack.",
$conn=c
]);
if ( is_orig )
{
if ( c$ssl?$last_responder_heartbeat_request_size )
{
# server originated heartbeat. Ignore & continue
delete c$ssl$last_responder_heartbeat_request_size;
}
else
c$ssl$last_originator_heartbeat_request_size = length;
}
else
{
if ( c$ssl?$last_originator_heartbeat_request_size && c$ssl$last_originator_heartbeat_request_size > length )
{
NOTICE([$note=SSL_Heartbeat_Encrypted_Attack_Success,
$msg="An Encrypted TLS heartbleed attack was probably detected!",
$conn=c
]);
}
else if ( ! c$ssl?$last_originator_heartbeat_request_size )
{
c$ssl$last_responder_heartbeat_request_size = length;
}
if ( c$ssl?$last_originator_heartbeat_request_size )
delete c$ssl$last_originator_heartbeat_request_size;
}
}