Mirror/zeek
1
0
Fork 0
mirror of https://github.com/zeek/zeek.git synced 2025-10-02 14:48:21 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 2

Add new features from other branch to the heartbleed-detector (and clean them up).

Browse source 
We should now quite reliably detect scans/attacks, even when encrypted and not succesful.
This commit is contained in:
Bernhard Amann 2014-05-14 15:42:27 -07:00
parent 9014629a7d
commit f0b244b8b0
9 changed files with 179 additions and 22 deletions
Download patch file Download diff file Expand all files Collapse all files

151
scripts/policy/protocols/ssl/heartbleed.bro
View file

@ -7,11 +7,11 @@ module Heartbleed;
export { export {
redef enum Notice::Type += { redef enum Notice::Type += {
## Indicates that a host performing a heartbleed attack. ## Indicates that a host performing a heartbleed attack or scan.
SSL_Heartbeat_Attack, SSL_Heartbeat_Attack,
## Indicates that a host performing a heartbleed attack was probably successful. ## Indicates that a host performing a heartbleed attack was probably successful.
SSL_Heartbeat_Attack_Success, SSL_Heartbeat_Attack_Success,
## Indicates we saw heartbeat requests with odd length. Probably an attack. ## Indicates we saw heartbeat requests with odd length. Probably an attack or scan.
SSL_Heartbeat_Odd_Length, SSL_Heartbeat_Odd_Length,
## Indicates we saw many heartbeat requests without an reply. Might be an attack. ## Indicates we saw many heartbeat requests without an reply. Might be an attack.
SSL_Heartbeat_Many_Requests SSL_Heartbeat_Many_Requests
@ -25,14 +25,76 @@ redef SSL::disable_analyzer_after_detection=F;
redef record SSL::Info += { redef record SSL::Info += {
last_originator_heartbeat_request_size: count &optional; last_originator_heartbeat_request_size: count &optional;
last_responder_heartbeat_request_size: count &optional; last_responder_heartbeat_request_size: count &optional;
originator_heartbeats: count &default=0; originator_heartbeats: count &default=0;
responder_heartbeats: count &default=0; responder_heartbeats: count &default=0;
# Unencrypted connections - was an exploit attempt detected yet.
heartbleed_detected: bool &default=F; heartbleed_detected: bool &default=F;
};
# Count number of appdata packages and bytes exchanged so far.
enc_appdata_packages: count &default=0;
enc_appdata_bytes: count &default=0;
};
# TLS content types:
const CHANGE_CIPHER_SPEC = 20;
const ALERT = 21;
const HANDSHAKE = 22;
const APPLICATION_DATA = 23;
const HEARTBEAT = 24;
const V2_ERROR = 300;
const V2_CLIENT_HELLO = 301;
const V2_CLIENT_MASTER_KEY = 302;
const V2_SERVER_HELLO = 304;
type min_length: record {
cipher: pattern;
min_length: count;
};
global min_lengths: vector of min_length = vector();
global min_lengths_tls11: vector of min_length = vector();
event bro_init()
{
# Minimum length a heartbeat packet must have for different cipher suites.
# Note - tls 1.1f and 1.0 have different lengths :(
# This should be all cipher suites usually supported by vulnerable servers.
min_lengths_tls11[|min_lengths_tls11|] = [$cipher=/_AES_256_GCM_SHA384$/, $min_length=43];
min_lengths_tls11[|min_lengths_tls11|] = [$cipher=/_AES_128_GCM_SHA256$/, $min_length=43];
min_lengths_tls11[|min_lengths_tls11|] = [$cipher=/_256_CBC_SHA384$/, $min_length=96];
min_lengths_tls11[|min_lengths_tls11|] = [$cipher=/_256_CBC_SHA256$/, $min_length=80];
min_lengths_tls11[|min_lengths_tls11|] = [$cipher=/_256_CBC_SHA$/, $min_length=64];
min_lengths_tls11[|min_lengths_tls11|] = [$cipher=/_128_CBC_SHA256$/, $min_length=80];
min_lengths_tls11[|min_lengths_tls11|] = [$cipher=/_128_CBC_SHA$/, $min_length=64];
min_lengths_tls11[|min_lengths_tls11|] = [$cipher=/_3DES_EDE_CBC_SHA$/, $min_length=48];
min_lengths_tls11[|min_lengths_tls11|] = [$cipher=/_SEED_CBC_SHA$/, $min_length=64];
min_lengths_tls11[|min_lengths_tls11|] = [$cipher=/_IDEA_CBC_SHA$/, $min_length=48];
min_lengths_tls11[|min_lengths_tls11|] = [$cipher=/_DES_CBC_SHA$/, $min_length=48];
min_lengths_tls11[|min_lengths_tls11|] = [$cipher=/_DES40_CBC_SHA$/, $min_length=48];
min_lengths_tls11[|min_lengths_tls11|] = [$cipher=/_RC4_128_SHA$/, $min_length=39];
min_lengths_tls11[|min_lengths_tls11|] = [$cipher=/_RC4_128_MD5$/, $min_length=35];
min_lengths_tls11[|min_lengths_tls11|] = [$cipher=/_RC4_40_MD5$/, $min_length=35];
min_lengths_tls11[|min_lengths_tls11|] = [$cipher=/_RC2_CBC_40_MD5$/, $min_length=48];
min_lengths[|min_lengths|] = [$cipher=/_256_CBC_SHA$/, $min_length=48];
min_lengths[|min_lengths|] = [$cipher=/_128_CBC_SHA$/, $min_length=48];
min_lengths[|min_lengths|] = [$cipher=/_3DES_EDE_CBC_SHA$/, $min_length=40];
min_lengths[|min_lengths|] = [$cipher=/_SEED_CBC_SHA$/, $min_length=48];
min_lengths[|min_lengths|] = [$cipher=/_IDEA_CBC_SHA$/, $min_length=40];
min_lengths[|min_lengths|] = [$cipher=/_DES_CBC_SHA$/, $min_length=40];
min_lengths[|min_lengths|] = [$cipher=/_DES40_CBC_SHA$/, $min_length=40];
min_lengths[|min_lengths|] = [$cipher=/_RC4_128_SHA$/, $min_length=39];
min_lengths[|min_lengths|] = [$cipher=/_RC4_128_MD5$/, $min_length=35];
min_lengths[|min_lengths|] = [$cipher=/_RC4_40_MD5$/, $min_length=35];
min_lengths[|min_lengths|] = [$cipher=/_RC2_CBC_40_MD5$/, $min_length=40];
}
event ssl_heartbeat(c: connection, is_orig: bool, length: count, heartbeat_type: count, payload_length: count, payload: string) event ssl_heartbeat(c: connection, is_orig: bool, length: count, heartbeat_type: count, payload_length: count, payload: string)
{ {
if ( ! c?$ssl )
return;
if ( heartbeat_type == 1 ) if ( heartbeat_type == 1 )
{ {
local checklength: count = (length<(3+16)) ? length : (length - 3 - 16); local checklength: count = (length<(3+16)) ? length : (length - 3 - 16);
@ -40,18 +102,27 @@ event ssl_heartbeat(c: connection, is_orig: bool, length: count, heartbeat_type:
if ( payload_length > checklength ) if ( payload_length > checklength )
{ {
c$ssl$heartbleed_detected = T; c$ssl$heartbleed_detected = T;
NOTICE([$note=SSL_Heartbeat_Attack, NOTICE([$note=Heartbleed::SSL_Heartbeat_Attack,
$msg=fmt("An TLS heartbleed attack was detected! Record length %d, payload length %d", length, payload_length), $msg=fmt("An TLS heartbleed attack was detected! Record length %d. Payload length %d", length, payload_length),
$conn=c, $conn=c,
$identifier=cat(c$uid, length, payload_length) $identifier=cat(c$uid, length, payload_length)
]); ]);
} }
else if ( is_orig )
{
NOTICE([$note=Heartbleed::SSL_Heartbeat_Attack,
$msg=fmt("Heartbeat request before encryption. Probable Scan without exploit attempt. Message length: %d. Payload length: %d", length, payload_length),
$conn=c,
$n=length,
$identifier=cat(c$uid, length)
]);
}
} }
if ( heartbeat_type == 2 && c$ssl$heartbleed_detected ) if ( heartbeat_type == 2 && c$ssl$heartbleed_detected )
{ {
NOTICE([$note=SSL_Heartbeat_Attack_Success, NOTICE([$note=Heartbleed::SSL_Heartbeat_Attack_Success,
$msg=fmt("An TLS heartbleed attack detected before was probably exploited. Transmitted payload length in first packet: %d", payload_length), $msg=fmt("An TLS heartbleed attack detected before was probably exploited. Message length: %d. Payload length: %d", length, payload_length),
$conn=c, $conn=c,
$identifier=c$uid $identifier=c$uid
]); ]);
@ -65,9 +136,26 @@ event ssl_encrypted_heartbeat(c: connection, is_orig: bool, length: count)
else else
++c$ssl$responder_heartbeats; ++c$ssl$responder_heartbeats;
local duration = network_time() - c$start_time;
if ( c$ssl$enc_appdata_packages == 0 )
NOTICE([$note=SSL_Heartbeat_Attack,
$msg=fmt("Heartbeat before ciphertext. Probable attack or scan. Length: %d, is_orig: %d", length, is_orig),
$conn=c,
$n=length,
$identifier=fmt("%s%s", c$uid, "early")
]);
else if ( duration < 1min )
NOTICE([$note=SSL_Heartbeat_Attack,
$msg=fmt("Heartbeat within first minute. Possible attack or scan. Length: %d, is_orig: %d, time: %d", length, is_orig, duration),
$conn=c,
$n=length,
$identifier=fmt("%s%s", c$uid, "early")
]);
if ( c$ssl$originator_heartbeats > c$ssl$responder_heartbeats + 3 ) if ( c$ssl$originator_heartbeats > c$ssl$responder_heartbeats + 3 )
NOTICE([$note=SSL_Heartbeat_Many_Requests, NOTICE([$note=SSL_Heartbeat_Many_Requests,
$msg=fmt("Seeing more than 3 heartbeat requests without replies from server. Possible attack. Client count: %d, server count: %d", c$ssl$originator_heartbeats, c$ssl$responder_heartbeats), $msg=fmt("More than 3 heartbeat requests without replies from server. Possible attack. Client count: %d, server count: %d", c$ssl$originator_heartbeats, c$ssl$responder_heartbeats),
$conn=c, $conn=c,
$n=(c$ssl$originator_heartbeats-c$ssl$responder_heartbeats), $n=(c$ssl$originator_heartbeats-c$ssl$responder_heartbeats),
$identifier=fmt("%s%d", c$uid, c$ssl$responder_heartbeats/1000) # re-throw every 1000 heartbeats $identifier=fmt("%s%d", c$uid, c$ssl$responder_heartbeats/1000) # re-throw every 1000 heartbeats
@ -75,7 +163,7 @@ event ssl_encrypted_heartbeat(c: connection, is_orig: bool, length: count)
if ( c$ssl$responder_heartbeats > c$ssl$originator_heartbeats + 3 ) if ( c$ssl$responder_heartbeats > c$ssl$originator_heartbeats + 3 )
NOTICE([$note=SSL_Heartbeat_Many_Requests, NOTICE([$note=SSL_Heartbeat_Many_Requests,
$msg=fmt("Server is sending more heartbleed responsed than requests were seen. Possible attack. Client count: %d, server count: %d", c$ssl$originator_heartbeats, c$ssl$responder_heartbeats), $msg=fmt("Server sending more heartbeat responses than requests seen. Possible attack. Client count: %d, server count: %d", c$ssl$originator_heartbeats, c$ssl$responder_heartbeats),
$conn=c, $conn=c,
$n=(c$ssl$originator_heartbeats-c$ssl$responder_heartbeats), $n=(c$ssl$originator_heartbeats-c$ssl$responder_heartbeats),
$identifier=fmt("%s%d", c$uid, c$ssl$responder_heartbeats/1000) # re-throw every 1000 heartbeats $identifier=fmt("%s%d", c$uid, c$ssl$responder_heartbeats/1000) # re-throw every 1000 heartbeats
@ -83,12 +171,38 @@ event ssl_encrypted_heartbeat(c: connection, is_orig: bool, length: count)
if ( is_orig && length < 19 ) if ( is_orig && length < 19 )
NOTICE([$note=SSL_Heartbeat_Odd_Length, NOTICE([$note=SSL_Heartbeat_Odd_Length,
$msg=fmt("Heartbeat message smaller than minimum required length. Probable attack. Message length: %d", length), $msg=fmt("Heartbeat message smaller than minimum required length. Probable attack or scan. Message length: %d. Cipher: %s. Time: %f", length, c$ssl$cipher, duration),
$conn=c, $conn=c,
$n=length, $n=length,
$identifier=cat(c$uid, length) $identifier=fmt("%s-weak-%d", c$uid, length)
]); ]);
# Examine request lengths based on used cipher...
local min_length_choice: vector of min_length;
if ( (c$ssl$version == "TLSv11") || (c$ssl$version == "TLSv12") ) # tls 1.1+ have different lengths for CBC
min_length_choice = min_lengths_tls11;
else
min_length_choice = min_lengths;
for ( i in min_length_choice )
{
if ( min_length_choice[i]$cipher in c$ssl$cipher )
{
if ( length < min_length_choice[i]$min_length )
{
NOTICE([$note=SSL_Heartbeat_Odd_Length,
$msg=fmt("Heartbeat message smaller than minimum required length. Probable attack. Message length: %d. Required length: %d. Cipher: %s. Cipher match: %s", length, min_length_choice[i]$min_length, c$ssl$cipher, min_length_choice[i]$cipher),
$conn=c,
$n=length,
$identifier=fmt("%s-weak-%d", c$uid, length)
]);
}
break;
}
}
if ( is_orig ) if ( is_orig )
{ {
if ( c$ssl?$last_responder_heartbeat_request_size ) if ( c$ssl?$last_responder_heartbeat_request_size )
@ -105,8 +219,8 @@ event ssl_encrypted_heartbeat(c: connection, is_orig: bool, length: count)
if ( c$ssl?$last_originator_heartbeat_request_size && c$ssl$last_originator_heartbeat_request_size < length ) if ( c$ssl?$last_originator_heartbeat_request_size && c$ssl$last_originator_heartbeat_request_size < length )
{ {
NOTICE([$note=SSL_Heartbeat_Attack_Success, NOTICE([$note=SSL_Heartbeat_Attack_Success,
$msg=fmt("An Encrypted TLS heartbleed attack was probably detected! First packet client record length %d, first packet server record length %d", $msg=fmt("An encrypted TLS heartbleed attack was probably detected! First packet client record length %d, first packet server record length %d. Time: %f",
c$ssl$last_originator_heartbeat_request_size, length), c$ssl$last_originator_heartbeat_request_size, length, duration),
$conn=c, $conn=c,
$identifier=c$uid # only throw once per connection $identifier=c$uid # only throw once per connection
]); ]);
@ -119,3 +233,14 @@ event ssl_encrypted_heartbeat(c: connection, is_orig: bool, length: count)
delete c$ssl$last_originator_heartbeat_request_size; delete c$ssl$last_originator_heartbeat_request_size;
} }
} }
event ssl_encrypted_data(c: connection, is_orig: bool, content_type: count, length: count)
{
if ( content_type == HEARTBEAT )
event ssl_encrypted_heartbeat(c, is_orig, length);
else if ( (content_type == APPLICATION_DATA) && (length > 0) )
{
++c$ssl$enc_appdata_packages;
c$ssl$enc_appdata_bytes += length;
}
}

2
src/analyzer/protocol/ssl/ssl-analyzer.pac
View file

@ -366,7 +366,7 @@ refine connection SSL_Conn += {
} }
BifEvent::generate_ssl_encrypted_data(bro_analyzer(), BifEvent::generate_ssl_encrypted_data(bro_analyzer(),
bro_analyzer()->Conn(), ${rec.content_type}, ${rec.is_orig}, ${rec.length}); bro_analyzer()->Conn(), ${rec.is_orig}, ${rec.content_type}, ${rec.length});
return true; return true;
%} %}

12
testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-encrypted-short.log Normal file
View file

@ -0,0 +1,12 @@
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path notice
#open 2014-05-14-22-40-47
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc proto note msg sub src dst p n peer_descr actions suppress_for dropped remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude
#types time string addr port addr port string string string enum enum string string addr addr port count string set[enum] interval bool string string string double double
1398954957.074664 CXWv6p3arKYeMETxOg 192.168.4.149 54233 162.219.2.166 4443 - - - tcp Heartbleed::SSL_Heartbeat_Attack Heartbeat before ciphertext. Probable attack or scan. Length: 32, is_orig: 1 - 192.168.4.149 162.219.2.166 4443 32 bro Notice::ACTION_LOG 3600.000000 F - - - - -
1398954957.074664 CXWv6p3arKYeMETxOg 192.168.4.149 54233 162.219.2.166 4443 - - - tcp Heartbleed::SSL_Heartbeat_Odd_Length Heartbeat message smaller than minimum required length. Probable attack. Message length: 32. Required length: 48. Cipher: TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA. Cipher match: /^?(_256_CBC_SHA$)$?/ - 192.168.4.149 162.219.2.166 4443 32 bro Notice::ACTION_LOG 3600.000000 F - - - - -
1398954957.145535 CXWv6p3arKYeMETxOg 192.168.4.149 54233 162.219.2.166 4443 - - - tcp Heartbleed::SSL_Heartbeat_Attack_Success An encrypted TLS heartbleed attack was probably detected! First packet client record length 32, first packet server record length 48. Time: 0.351035 - 192.168.4.149 162.219.2.166 4443 - bro Notice::ACTION_LOG 3600.000000 F - - - - -
#close 2014-05-14-22-40-47

12
testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-encrypted-success.log Normal file
View file

@ -0,0 +1,12 @@
#separator \x09
#set_separator ,
#empty_field (empty)
#unset_field -
#path notice
#open 2014-05-14-22-40-36
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc proto note msg sub src dst p n peer_descr actions suppress_for dropped remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude
#types time string addr port addr port string string string enum enum string string addr addr port count string set[enum] interval bool string string string double double
1397169549.882425 CXWv6p3arKYeMETxOg 192.168.4.149 59676 107.170.241.107 443 - - - tcp Heartbleed::SSL_Heartbeat_Attack Heartbeat before ciphertext. Probable attack or scan. Length: 32, is_orig: 1 - 192.168.4.149 107.170.241.107 443 32 bro Notice::ACTION_LOG 3600.000000 F - - - - -
1397169549.882425 CXWv6p3arKYeMETxOg 192.168.4.149 59676 107.170.241.107 443 - - - tcp Heartbleed::SSL_Heartbeat_Odd_Length Heartbeat message smaller than minimum required length. Probable attack. Message length: 32. Required length: 48. Cipher: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA. Cipher match: /^?(_256_CBC_SHA$)$?/ - 192.168.4.149 107.170.241.107 443 32 bro Notice::ACTION_LOG 3600.000000 F - - - - -
1397169549.895057 CXWv6p3arKYeMETxOg 192.168.4.149 59676 107.170.241.107 443 - - - tcp Heartbleed::SSL_Heartbeat_Attack_Success An encrypted TLS heartbleed attack was probably detected! First packet client record length 32, first packet server record length 16416. Time: 0.035413 - 192.168.4.149 107.170.241.107 443 - bro Notice::ACTION_LOG 3600.000000 F - - - - -
#close 2014-05-14-22-40-37

6
testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-encrypted.log
View file

@ -3,8 +3,8 @@
#empty_field (empty) #empty_field (empty)
#unset_field - #unset_field -
#path notice #path notice
#open 2014-04-30-19-34-39 #open 2014-05-14-22-40-26
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc proto note msg sub src dst p n peer_descr actions suppress_for dropped remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc proto note msg sub src dst p n peer_descr actions suppress_for dropped remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude
#types time string addr port addr port string string string enum enum string string addr addr port count string set[enum] interval bool string string string double double #types time string addr port addr port string string string enum enum string string addr addr port count string set[enum] interval bool string string string double double
1397169549.895057 CXWv6p3arKYeMETxOg 192.168.4.149 59676 107.170.241.107 443 - - - tcp Heartbleed::SSL_Heartbeat_Attack_Success An Encrypted TLS heartbleed attack was probably detected! First packet client record length 32, first packet server record length 16416 - 192.168.4.149 107.170.241.107 443 - bro Notice::ACTION_LOG 3600.000000 F - - - - - 1400106542.810248 CXWv6p3arKYeMETxOg 54.221.166.250 56323 162.219.2.166 443 - - - tcp Heartbleed::SSL_Heartbeat_Attack Heartbeat before ciphertext. Probable attack or scan. Length: 86, is_orig: 1 - 54.221.166.250 162.219.2.166 443 86 bro Notice::ACTION_LOG 3600.000000 F - - - - -
#close 2014-04-30-19-34-39 #close 2014-05-14-22-40-27

8
testing/btest/Baseline/scripts.policy.protocols.ssl.heartbleed/notice-heartbleed-success.log
View file

@ -3,9 +3,9 @@
#empty_field (empty) #empty_field (empty)
#unset_field - #unset_field -
#path notice #path notice
#open 2014-04-24-18-30-54 #open 2014-05-14-22-40-19
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc proto note msg sub src dst p n peer_descr actions suppress_for dropped remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude #fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc proto note msg sub src dst p n peer_descr actions suppress_for dropped remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude
#types time string addr port addr port string string string enum enum string string addr addr port count string set[enum] interval bool string string string double double #types time string addr port addr port string string string enum enum string string addr addr port count string set[enum] interval bool string string string double double
1396976220.863714 CXWv6p3arKYeMETxOg 173.203.79.216 41459 107.170.241.107 443 - - - tcp Heartbleed::SSL_Heartbeat_Attack An TLS heartbleed attack was detected! Record length 16368, payload length 16365 - 173.203.79.216 107.170.241.107 443 - bro Notice::ACTION_LOG 3600.000000 F - - - - - 1396976220.863714 CXWv6p3arKYeMETxOg 173.203.79.216 41459 107.170.241.107 443 - - - tcp Heartbleed::SSL_Heartbeat_Attack An TLS heartbleed attack was detected! Record length 16368. Payload length 16365 - 173.203.79.216 107.170.241.107 443 - bro Notice::ACTION_LOG 3600.000000 F - - - - -
1396976220.918017 CXWv6p3arKYeMETxOg 173.203.79.216 41459 107.170.241.107 443 - - - tcp Heartbleed::SSL_Heartbeat_Attack_Success An TLS heartbleed attack detected before was probably exploited. Transmitted payload length in first packet: 16365 - 173.203.79.216 107.170.241.107 443 - bro Notice::ACTION_LOG 3600.000000 F - - - - - 1396976220.918017 CXWv6p3arKYeMETxOg 173.203.79.216 41459 107.170.241.107 443 - - - tcp Heartbleed::SSL_Heartbeat_Attack_Success An TLS heartbleed attack detected before was probably exploited. Message length: 16384. Payload length: 16365 - 173.203.79.216 107.170.241.107 443 - bro Notice::ACTION_LOG 3600.000000 F - - - - -
#close 2014-04-24-18-30-54 #close 2014-05-14-22-40-19

BIN
testing/btest/Traces/tls/heartbleed-encrypted-short.pcap Normal file
View file

Binary file not shown.

BIN
testing/btest/Traces/tls/heartbleed-encrypted.pcap Normal file
View file

Binary file not shown.

10
testing/btest/scripts/policy/protocols/ssl/heartbleed.bro
View file

@ -6,8 +6,16 @@
# @TEST-EXEC: mv notice.log notice-heartbleed-success.log # @TEST-EXEC: mv notice.log notice-heartbleed-success.log
# @TEST-EXEC: btest-diff notice-heartbleed-success.log # @TEST-EXEC: btest-diff notice-heartbleed-success.log
# @TEST-EXEC: bro -C -r $TRACES/tls/heartbleed-encrypted-success.pcap %INPUT # @TEST-EXEC: bro -C -r $TRACES/tls/heartbleed-encrypted.pcap %INPUT
# @TEST-EXEC: mv notice.log notice-encrypted.log # @TEST-EXEC: mv notice.log notice-encrypted.log
# @TEST-EXEC: btest-diff notice-encrypted.log # @TEST-EXEC: btest-diff notice-encrypted.log
# @TEST-EXEC: bro -C -r $TRACES/tls/heartbleed-encrypted-success.pcap %INPUT
# @TEST-EXEC: mv notice.log notice-encrypted-success.log
# @TEST-EXEC: btest-diff notice-encrypted-success.log
# @TEST-EXEC: bro -C -r $TRACES/tls/heartbleed-encrypted-short.pcap %INPUT
# @TEST-EXEC: mv notice.log notice-encrypted-short.log
# @TEST-EXEC: btest-diff notice-encrypted-short.log
@load protocols/ssl/heartbleed @load protocols/ssl/heartbleed