Created
April 11, 2014 14:29
-
-
Save crisroura/10473454 to your computer and use it in GitHub Desktop.
Live detection of client heartbleed attack with tcpdump
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Slight modification of tcpdump filter expression included in heartbleed.py script by Riverbed [1][2] to detect live client side heartbleed attacks. | |
Modified the original filter to detect traffic to a specific client host from any port. Also modified lengths check to 68. For more information about this tcpdump filter take a look at Riverbed blog post [2]. | |
Detection tested with https://reverseheartbleed.com | |
tcpdump -i <INTERFACE> "((not ether proto 0x8100) and (tcp and dst host <HOST_IP> and (tcp[((tcp[12] & 0xF0) >> 4 ) * 4] = 0x18) and (tcp[((tcp[12] & 0xF0) >> 4 ) * 4 + 1] = 0x03) and (tcp[((tcp[12] & 0xF0) >> 4 ) * 4 + 2] < 0x04) and ((ip[2:2] - 4 * (ip[0] & 0x0F) - 4 * ((tcp[12] & 0xF0) >> 4) > 68)))) or (vlan and (tcp and dst host <HOST_IP> and (tcp[((tcp[12] & 0xF0) >> 4 ) * 4] = 0x18) and (tcp[((tcp[12] & 0xF0) >> 4 ) * 4 + 1] = 0x03) and (tcp[((tcp[12] & 0xF0) >> 4 ) * 4 + 2] < 0x04) and ((ip[2:2] - 4 * (ip[0] & 0x0F) - 4 * ((tcp[12] & 0xF0) >> 4) > 68))))" | |
Example to detect client heartbleed attacks to host 192.168.0.10, listening on interface eth0: | |
tcpdump -i eth0 "((not ether proto 0x8100) and (tcp and dst host 192.168.0.10 and (tcp[((tcp[12] & 0xF0) >> 4 ) * 4] = 0x18) and (tcp[((tcp[12] & 0xF0) >> 4 ) * 4 + 1] = 0x03) and (tcp[((tcp[12] & 0xF0) >> 4 ) * 4 + 2] < 0x04) and ((ip[2:2] - 4 * (ip[0] & 0x0F) - 4 * ((tcp[12] & 0xF0) >> 4) > 68)))) or (vlan and (tcp and dst host 192.168.0.10 and (tcp[((tcp[12] & 0xF0) >> 4 ) * 4] = 0x18) and (tcp[((tcp[12] & 0xF0) >> 4 ) * 4 + 1] = 0x03) and (tcp[((tcp[12] & 0xF0) >> 4 ) * 4 + 2] < 0x04) and ((ip[2:2] - 4 * (ip[0] & 0x0F) - 4 * ((tcp[12] & 0xF0) >> 4) > 68))))" | |
[1] - https://splash.riverbed.com/docs/DOC-4083 | |
[2] - http://www.riverbed.com/blogs/Retroactively-detecting-a-prior-Heartbleed-exploitation-from-stored-packets-using-a-BPF-expression.html |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment