fox-srt/fox-ticketbleed.rules

## fox-ticketbleed.rules
# IDS Signatures to detect Ticketbleed (CVE-2016-9244)
# https://blog.fox-it.com/2017/02/13/detecting-ticketbleed-cve-2016-9244/

alert tcp $EXTERNAL_NET any -> $HOME_NET [$HTTP_PORTS,443] (msg:"FOX-SRT - Flowbit - TLS session resumption < 32 byte session id (noalert)"; flow:established,to_server; content:"|1603|"; depth:2; content:"|01|"; distance:3; within:1; byte_test:3,<,3000,0,relative; content:"|03|"; distance:3; within:1; byte_test:1,<,32,33,relative; byte_test:1,>,0,33,relative; flowbits:set,fox.ticketbleed.session; flowbits:noalert; threshold:type limit, track by_src, count 1, seconds 600; classtype:attempted-recon; reference:cve,2016-9244; reference:url,https://ticketbleed.com; reference:url,blog.fox-it.com/2017/02/13/detecting-ticketbleed-cve-2016-9244; sid:21002061; rev:6;)
alert tcp $HOME_NET [$HTTP_PORTS,443] -> $EXTERNAL_NET any (msg:"FOX-SRT - Vulnerability - Possible Succesful F5 Big-IP TLS Ticketbleed"; flow:established,to_client; flowbits:isset,fox.ticketbleed.session; content:"|1603|"; depth:2; byte_extract:2,1,rec_len,relative; content:"|02|"; distance:0; within:1; content:"|03|"; distance:3; within:1; byte_test:1,=,32,33,relative; content:"|1403|"; offset:rec_len; depth:7; content:"|000101|"; distance:1; within:3; threshold:type limit, track by_src, count 1, seconds 600; classtype:successful-recon-limited; reference:srt,1298; reference:cve,2016-9244; reference:url,https://ticketbleed.com; reference:url,blog.fox-it.com/2017/02/13/detecting-ticketbleed-cve-2016-9244; priority:2; sid:21002062; rev:5;)
	# IDS Signatures to detect Ticketbleed (CVE-2016-9244)
	# https://blog.fox-it.com/2017/02/13/detecting-ticketbleed-cve-2016-9244/

	alert tcp $EXTERNAL_NET any -> $HOME_NET [$HTTP_PORTS,443] (msg:"FOX-SRT - Flowbit - TLS session resumption < 32 byte session id (noalert)"; flow:established,to_server; content:"\|1603\|"; depth:2; content:"\|01\|"; distance:3; within:1; byte_test:3,<,3000,0,relative; content:"\|03\|"; distance:3; within:1; byte_test:1,<,32,33,relative; byte_test:1,>,0,33,relative; flowbits:set,fox.ticketbleed.session; flowbits:noalert; threshold:type limit, track by_src, count 1, seconds 600; classtype:attempted-recon; reference:cve,2016-9244; reference:url,https://ticketbleed.com; reference:url,blog.fox-it.com/2017/02/13/detecting-ticketbleed-cve-2016-9244; sid:21002061; rev:6;)
	alert tcp $HOME_NET [$HTTP_PORTS,443] -> $EXTERNAL_NET any (msg:"FOX-SRT - Vulnerability - Possible Succesful F5 Big-IP TLS Ticketbleed"; flow:established,to_client; flowbits:isset,fox.ticketbleed.session; content:"\|1603\|"; depth:2; byte_extract:2,1,rec_len,relative; content:"\|02\|"; distance:0; within:1; content:"\|03\|"; distance:3; within:1; byte_test:1,=,32,33,relative; content:"\|1403\|"; offset:rec_len; depth:7; content:"\|000101\|"; distance:1; within:3; threshold:type limit, track by_src, count 1, seconds 600; classtype:successful-recon-limited; reference:srt,1298; reference:cve,2016-9244; reference:url,https://ticketbleed.com; reference:url,blog.fox-it.com/2017/02/13/detecting-ticketbleed-cve-2016-9244; priority:2; sid:21002062; rev:5;)