mirror of
https://github.com/zeek/zeek.git
synced 2025-10-11 19:18:19 +00:00
Nicer notices for heartbleed.
Duplicates are now excluded and the notice texts contain a bit more useful information.
This commit is contained in:
Bernhard Amann
parent
4405121fb2
commit
ef41cc7189
1 changed files with 26 additions and 14 deletions
|
|
@ -15,11 +15,9 @@ export {
|
|||
redef enum Notice::Type += {
|
||||
## Indicates that a host performing a heartbleed attack.
|
||||
SSL_Heartbeat_Attack,
|
||||
## Indicates that a host performing a heartbleed attack was successful.
|
||||
## Indicates that a host performing a heartbleed attack was probably successful.
|
||||
SSL_Heartbeat_Attack_Success,
|
||||
## Indivcates that a host performing a heartbleed attack after encryption was started was probably successful
|
||||
SSL_Heartbeat_Encrypted_Attack_Success,
|
||||
## Indicates we saw heartbeet requests with odd length. Probably an attack.
|
||||
## Indicates we saw heartbeat requests with odd length. Probably an attack.
|
||||
SSL_Heartbeat_Odd_Length,
|
||||
## Indicates we saw many heartbeat requests without an reply. Might be an attack.
|
||||
SSL_Heartbeat_Many_Requests
|
||||
|
|
@ -37,7 +35,8 @@ event ssl_heartbeat(c: connection, is_orig: bool, length: count, heartbeat_type:
|
|||
c$ssl$heartbleed_detected = T;
|
||||
NOTICE([$note=SSL_Heartbeat_Attack,
|
||||
$msg=fmt("An TLS heartbleed attack was detected! Record length %d, payload length %d", length, payload_length),
|
||||
$conn=c
|
||||
$conn=c,
|
||||
$identifier=cat(c$uid, length, payload_length)
|
||||
]);
|
||||
}
|
||||
}
|
||||
|
|
@ -45,8 +44,9 @@ event ssl_heartbeat(c: connection, is_orig: bool, length: count, heartbeat_type:
|
|||
if ( heartbeat_type == 2 && c$ssl$heartbleed_detected )
|
||||
{
|
||||
NOTICE([$note=SSL_Heartbeat_Attack_Success,
|
||||
$msg="An TLS heartbleed attack was detected and probably exploited",
|
||||
$conn=c
|
||||
$msg=fmt("An TLS heartbleed attack detected before was probably exploited. Transmitted payload length in first packet: %d", payload_length),
|
||||
$conn=c,
|
||||
$identifier=c$uid
|
||||
]);
|
||||
}
|
||||
}
|
||||
|
|
@ -60,16 +60,26 @@ event ssl_encrypted_heartbeat(c: connection, is_orig: bool, length: count)
|
|||
|
||||
if ( c$ssl$originator_heartbeats > c$ssl$responder_heartbeats + 3 )
|
||||
NOTICE([$note=SSL_Heartbeat_Many_Requests,
|
||||
$msg="Seeing more than 3 heartbeat requests without replies from server. Possible attack?",
|
||||
$msg=fmt("Seeing more than 3 heartbeat requests without replies from server. Possible attack. Client count: %d, server count: %d", c$ssl$originator_heartbeats, c$ssl$responder_heartbeats),
|
||||
$conn=c,
|
||||
$n=(c$ssl$originator_heartbeats-c$ssl$responder_heartbeats)
|
||||
$n=(c$ssl$originator_heartbeats-c$ssl$responder_heartbeats),
|
||||
$identifier=fmt("%s%d", c$uid, c$ssl$responder_heartbeats/1000) # re-throw every 1000 heartbeats
|
||||
]);
|
||||
|
||||
if ( c$ssl$responder_heartbeats > c$ssl$originator_heartbeats + 3 )
|
||||
NOTICE([$note=SSL_Heartbeat_Many_Requests,
|
||||
$msg=fmt("Server is sending more heartbleed responsed than requests were seen. Possible attack. Client count: %d, server count: %d", c$ssl$originator_heartbeats, c$ssl$responder_heartbeats),
|
||||
$conn=c,
|
||||
$n=(c$ssl$originator_heartbeats-c$ssl$responder_heartbeats),
|
||||
$identifier=fmt("%s%d", c$uid, c$ssl$responder_heartbeats/1000) # re-throw every 1000 heartbeats
|
||||
]);
|
||||
|
||||
if ( is_orig && length < 19 )
|
||||
NOTICE([$note=SSL_Heartbeat_Odd_Length,
|
||||
$msg="Heartbeat message smaller than minimum length. Probable attack.",
|
||||
$msg=fmt("Heartbeat message smaller than minimum required length. Probable attack. Message length: %d", length),
|
||||
$conn=c,
|
||||
$n=length
|
||||
$n=length,
|
||||
$identifier=cat(c$uid, length)
|
||||
]);
|
||||
|
||||
if ( is_orig )
|
||||
|
|
@ -86,9 +96,11 @@ event ssl_encrypted_heartbeat(c: connection, is_orig: bool, length: count)
|
|||
{
|
||||
if ( c$ssl?$last_originator_heartbeat_request_size && c$ssl$last_originator_heartbeat_request_size < length )
|
||||
{
|
||||
NOTICE([$note=SSL_Heartbeat_Encrypted_Attack_Success,
|
||||
$msg="An Encrypted TLS heartbleed attack was probably detected!",
|
||||
$conn=c
|
||||
NOTICE([$note=SSL_Heartbeat_Attack_Success,
|
||||
$msg=fmt("An Encrypted TLS heartbleed attack was probably detected! First packet client record length %d, first packet server record length %d",
|
||||
c$ssl?$last_originator_heartbeat_request_size, c$ssl$last_originator_heartbeat_request_size),
|
||||
$conn=c,
|
||||
$identifier=c$uid # only throw once per connection
|
||||
]);
|
||||
}
|
||||
else if ( ! c$ssl?$last_originator_heartbeat_request_size )
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue