crisroura/gist:10473454

## gistfile1.txt
Slight modification of tcpdump filter expression included in heartbleed.py script by Riverbed [1][2] to detect live client side heartbleed attacks.

Modified the original filter to detect traffic to a specific client host from any port. Also modified lengths check to 68. For more information about this tcpdump filter take a look at Riverbed blog post [2].

Detection tested with https://reverseheartbleed.com

tcpdump -i <INTERFACE> "((not ether proto 0x8100) and (tcp and dst host <HOST_IP> and (tcp[((tcp[12] & 0xF0) >> 4 ) * 4] = 0x18) and (tcp[((tcp[12] & 0xF0) >> 4 ) * 4 + 1] = 0x03) and (tcp[((tcp[12] & 0xF0) >> 4 ) * 4 + 2] < 0x04) and ((ip[2:2] - 4 * (ip[0] & 0x0F)  - 4 * ((tcp[12] & 0xF0) >> 4) > 68)))) or (vlan and (tcp and dst host <HOST_IP> and (tcp[((tcp[12] & 0xF0) >> 4 ) * 4] = 0x18) and (tcp[((tcp[12] & 0xF0) >> 4 ) * 4 + 1] = 0x03) and (tcp[((tcp[12] & 0xF0) >> 4 ) * 4 + 2] < 0x04) and ((ip[2:2] - 4 * (ip[0] & 0x0F)  - 4 * ((tcp[12] & 0xF0) >> 4) > 68))))"

Example to detect client heartbleed attacks to host 192.168.0.10, listening on interface eth0:
tcpdump -i eth0 "((not ether proto 0x8100) and (tcp and dst host 192.168.0.10 and (tcp[((tcp[12] & 0xF0) >> 4 ) * 4] = 0x18) and (tcp[((tcp[12] & 0xF0) >> 4 ) * 4 + 1] = 0x03) and (tcp[((tcp[12] & 0xF0) >> 4 ) * 4 + 2] < 0x04) and ((ip[2:2] - 4 * (ip[0] & 0x0F)  - 4 * ((tcp[12] & 0xF0) >> 4) > 68)))) or (vlan and (tcp and dst host 192.168.0.10 and (tcp[((tcp[12] & 0xF0) >> 4 ) * 4] = 0x18) and (tcp[((tcp[12] & 0xF0) >> 4 ) * 4 + 1] = 0x03) and (tcp[((tcp[12] & 0xF0) >> 4 ) * 4 + 2] < 0x04) and ((ip[2:2] - 4 * (ip[0] & 0x0F)  - 4 * ((tcp[12] & 0xF0) >> 4) > 68))))"

[1] - https://splash.riverbed.com/docs/DOC-4083
[2] - http://www.riverbed.com/blogs/Retroactively-detecting-a-prior-Heartbleed-exploitation-from-stored-packets-using-a-BPF-expression.html
	Slight modification of tcpdump filter expression included in heartbleed.py script by Riverbed [1][2] to detect live client side heartbleed attacks.

	Modified the original filter to detect traffic to a specific client host from any port. Also modified lengths check to 68. For more information about this tcpdump filter take a look at Riverbed blog post [2].

	Detection tested with https://reverseheartbleed.com

	tcpdump -i <INTERFACE> "((not ether proto 0x8100) and (tcp and dst host <HOST_IP> and (tcp[((tcp[12] & 0xF0) >> 4 ) * 4] = 0x18) and (tcp[((tcp[12] & 0xF0) >> 4 ) * 4 + 1] = 0x03) and (tcp[((tcp[12] & 0xF0) >> 4 ) * 4 + 2] < 0x04) and ((ip[2:2] - 4 * (ip[0] & 0x0F) - 4 * ((tcp[12] & 0xF0) >> 4) > 68)))) or (vlan and (tcp and dst host <HOST_IP> and (tcp[((tcp[12] & 0xF0) >> 4 ) * 4] = 0x18) and (tcp[((tcp[12] & 0xF0) >> 4 ) * 4 + 1] = 0x03) and (tcp[((tcp[12] & 0xF0) >> 4 ) * 4 + 2] < 0x04) and ((ip[2:2] - 4 * (ip[0] & 0x0F) - 4 * ((tcp[12] & 0xF0) >> 4) > 68))))"

	Example to detect client heartbleed attacks to host 192.168.0.10, listening on interface eth0:
	tcpdump -i eth0 "((not ether proto 0x8100) and (tcp and dst host 192.168.0.10 and (tcp[((tcp[12] & 0xF0) >> 4 ) * 4] = 0x18) and (tcp[((tcp[12] & 0xF0) >> 4 ) * 4 + 1] = 0x03) and (tcp[((tcp[12] & 0xF0) >> 4 ) * 4 + 2] < 0x04) and ((ip[2:2] - 4 * (ip[0] & 0x0F) - 4 * ((tcp[12] & 0xF0) >> 4) > 68)))) or (vlan and (tcp and dst host 192.168.0.10 and (tcp[((tcp[12] & 0xF0) >> 4 ) * 4] = 0x18) and (tcp[((tcp[12] & 0xF0) >> 4 ) * 4 + 1] = 0x03) and (tcp[((tcp[12] & 0xF0) >> 4 ) * 4 + 2] < 0x04) and ((ip[2:2] - 4 * (ip[0] & 0x0F) - 4 * ((tcp[12] & 0xF0) >> 4) > 68))))"

	[1] - https://splash.riverbed.com/docs/DOC-4083
	[2] - http://www.riverbed.com/blogs/Retroactively-detecting-a-prior-Heartbleed-exploitation-from-stored-packets-using-a-BPF-expression.html