diff --git a/scripts/policy/protocols/ssl/heartbleed.bro b/scripts/policy/protocols/ssl/heartbleed.bro index 0049c4c51f..dc38c66f73 100644 --- a/scripts/policy/protocols/ssl/heartbleed.bro +++ b/scripts/policy/protocols/ssl/heartbleed.bro @@ -15,11 +15,9 @@ export { redef enum Notice::Type += { ## Indicates that a host performing a heartbleed attack. SSL_Heartbeat_Attack, - ## Indicates that a host performing a heartbleed attack was successful. + ## Indicates that a host performing a heartbleed attack was probably successful. SSL_Heartbeat_Attack_Success, - ## Indivcates that a host performing a heartbleed attack after encryption was started was probably successful - SSL_Heartbeat_Encrypted_Attack_Success, - ## Indicates we saw heartbeet requests with odd length. Probably an attack. + ## Indicates we saw heartbeat requests with odd length. Probably an attack. SSL_Heartbeat_Odd_Length, ## Indicates we saw many heartbeat requests without an reply. Might be an attack. SSL_Heartbeat_Many_Requests @@ -37,7 +35,8 @@ event ssl_heartbeat(c: connection, is_orig: bool, length: count, heartbeat_type: c$ssl$heartbleed_detected = T; NOTICE([$note=SSL_Heartbeat_Attack, $msg=fmt("An TLS heartbleed attack was detected! Record length %d, payload length %d", length, payload_length), - $conn=c + $conn=c, + $identifier=cat(c$uid, length, payload_length) ]); } } @@ -45,8 +44,9 @@ event ssl_heartbeat(c: connection, is_orig: bool, length: count, heartbeat_type: if ( heartbeat_type == 2 && c$ssl$heartbleed_detected ) { NOTICE([$note=SSL_Heartbeat_Attack_Success, - $msg="An TLS heartbleed attack was detected and probably exploited", - $conn=c + $msg=fmt("An TLS heartbleed attack detected before was probably exploited. Transmitted payload length in first packet: %d", payload_length), + $conn=c, + $identifier=c$uid ]); } } @@ -60,16 +60,26 @@ event ssl_encrypted_heartbeat(c: connection, is_orig: bool, length: count) if ( c$ssl$originator_heartbeats > c$ssl$responder_heartbeats + 3 ) NOTICE([$note=SSL_Heartbeat_Many_Requests, - $msg="Seeing more than 3 heartbeat requests without replies from server. Possible attack?", + $msg=fmt("Seeing more than 3 heartbeat requests without replies from server. Possible attack. Client count: %d, server count: %d", c$ssl$originator_heartbeats, c$ssl$responder_heartbeats), $conn=c, - $n=(c$ssl$originator_heartbeats-c$ssl$responder_heartbeats) + $n=(c$ssl$originator_heartbeats-c$ssl$responder_heartbeats), + $identifier=fmt("%s%d", c$uid, c$ssl$responder_heartbeats/1000) # re-throw every 1000 heartbeats + ]); + + if ( c$ssl$responder_heartbeats > c$ssl$originator_heartbeats + 3 ) + NOTICE([$note=SSL_Heartbeat_Many_Requests, + $msg=fmt("Server is sending more heartbleed responsed than requests were seen. Possible attack. Client count: %d, server count: %d", c$ssl$originator_heartbeats, c$ssl$responder_heartbeats), + $conn=c, + $n=(c$ssl$originator_heartbeats-c$ssl$responder_heartbeats), + $identifier=fmt("%s%d", c$uid, c$ssl$responder_heartbeats/1000) # re-throw every 1000 heartbeats ]); if ( is_orig && length < 19 ) NOTICE([$note=SSL_Heartbeat_Odd_Length, - $msg="Heartbeat message smaller than minimum length. Probable attack.", + $msg=fmt("Heartbeat message smaller than minimum required length. Probable attack. Message length: %d", length), $conn=c, - $n=length + $n=length, + $identifier=cat(c$uid, length) ]); if ( is_orig ) @@ -86,9 +96,11 @@ event ssl_encrypted_heartbeat(c: connection, is_orig: bool, length: count) { if ( c$ssl?$last_originator_heartbeat_request_size && c$ssl$last_originator_heartbeat_request_size < length ) { - NOTICE([$note=SSL_Heartbeat_Encrypted_Attack_Success, - $msg="An Encrypted TLS heartbleed attack was probably detected!", - $conn=c + NOTICE([$note=SSL_Heartbeat_Attack_Success, + $msg=fmt("An Encrypted TLS heartbleed attack was probably detected! First packet client record length %d, first packet server record length %d", + c$ssl?$last_originator_heartbeat_request_size, c$ssl$last_originator_heartbeat_request_size), + $conn=c, + $identifier=c$uid # only throw once per connection ]); } else if ( ! c$ssl?$last_originator_heartbeat_request_size )