Created
April 11, 2014 01:43
-
-
Save sethhall/10436578 to your computer and use it in GitHub Desktop.
Bro Heartbleed detection with @erratarob's attempted evasion from https://twitter.com/erratarob/status/454431302482001921. (check the notice.log)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#separator \x09 | |
#set_separator , | |
#empty_field (empty) | |
#unset_field - | |
#path conn | |
#open 2014-04-10-21-40-58 | |
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents | |
#types time string addr port addr port enum string interval count count string bool count string count count count count set[string] | |
1397173677.295334 CRVrQz4kM8bETkZAd9 10.20.30.165 5353 224.0.0.251 5353 udp dns 3.000172 120 0 S0 - 0 D 3 204 0 0 (empty) | |
1397173669.761904 C0oDrV3mAS653MpdGh 10.20.30.157 53669 10.20.30.165 443 tcp ssl 2.133122 257 5015 S1 - 0 ShADd 13 777 11 5459 (empty) | |
#close 2014-04-10-21-40-58 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#separator \x09 | |
#set_separator , | |
#empty_field (empty) | |
#unset_field - | |
#path dns | |
#open 2014-04-10-21-40-58 | |
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto trans_id query qclass qclass_name qtype qtype_name rcode rcode_name AA TC RD RA Z answers TTLs rejected | |
#types time string addr port addr port enum count string count string count string count string bool bool bool bool count vector[string] vector[interval] bool | |
1397173677.295334 CRVrQz4kM8bETkZAd9 10.20.30.165 5353 224.0.0.251 5353 udp 0 _googlecast._tcp.local 1 C_INTERNET 12 PTR - - F F F F 0 - - F | |
1397173678.295392 CRVrQz4kM8bETkZAd9 10.20.30.165 5353 224.0.0.251 5353 udp 0 _googlecast._tcp.local 1 C_INTERNET 12 PTR - - F F F F 0 - - F | |
1397173680.295506 CRVrQz4kM8bETkZAd9 10.20.30.165 5353 224.0.0.251 5353 udp 0 _googlecast._tcp.local 1 C_INTERNET 12 PTR - - F F F F 0 - - F | |
#close 2014-04-10-21-40-58 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#separator \x09 | |
#set_separator , | |
#empty_field (empty) | |
#unset_field - | |
#path files | |
#open 2014-04-10-21-40-58 | |
#fields ts fuid tx_hosts rx_hosts conn_uids source depth analyzers mime_type filename duration local_orig is_orig seen_bytes total_bytes missing_bytes overflow_bytes timedout parent_fuid md5 sha1 sha256 extracted | |
#types time string set[addr] set[addr] set[string] string count set[string] string string interval bool bool count count count count bool string string string string string | |
1397173671.818021 Fbe0Xz178NG1aHeiac 10.20.30.165 10.20.30.157 C0oDrV3mAS653MpdGh SSL 0 SHA1,X509,MD5 - - 0.000000 - F 429 - 0 0 F - 0c5fe3ec996ec9f653243786d8f9cbea 494d64afd12a1bcf06ad072fc361d7811c0cd401 - - | |
#close 2014-04-10-21-40-58 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#separator \x09 | |
#set_separator , | |
#empty_field (empty) | |
#unset_field - | |
#path notice | |
#open 2014-04-10-21-40-58 | |
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc proto note msg sub src dst p n peer_descr actions suppress_for dropped remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude | |
#types time string addr port addr port string string string enum enum string string addr addr port count string set[enum] interval bool string string string double double | |
1397173671.826022 C0oDrV3mAS653MpdGh 10.20.30.157 53669 10.20.30.165 443 - - - tcp Heartbleed::SSL_Heartbeat_Attack An TLS heartbleed attack was detected! Record length 20, payload length 4073 - 10.20.30.157 10.20.30.165 443 - bro Notice::ACTION_LOG 3600.000000 F - - - - - | |
1397173671.882025 C0oDrV3mAS653MpdGh 10.20.30.157 53669 10.20.30.165 443 - - - tcp Heartbleed::SSL_Heartbeat_Attack_Success An TLS heartbleed attack was detected and probably exploited - 10.20.30.157 10.20.30.165 443 - bro Notice::ACTION_LOG 3600.000000 F - - - - - | |
#close 2014-04-10-21-40-58 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#separator \x09 | |
#set_separator , | |
#empty_field (empty) | |
#unset_field - | |
#path ssl | |
#open 2014-04-10-21-40-58 | |
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher server_name session_id last_alert established cert_chain_fuids client_cert_chain_fuids subject issuer client_subject client_issuer | |
#types time string addr port addr port string string string string string bool vector[string] vector[string] string string string string | |
1397173671.813021 C0oDrV3mAS653MpdGh 10.20.30.157 53669 10.20.30.165 443 TLSv11 TLS_DHE_RSA_WITH_AES_256_CBC_SHA - - unknown-128 F Fbe0Xz178NG1aHeiac (empty) - - - - | |
#close 2014-04-10-21-40-58 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#separator \x09 | |
#set_separator , | |
#empty_field (empty) | |
#unset_field - | |
#path weird | |
#open 2014-04-10-21-40-58 | |
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p name addl notice peer | |
#types time string addr port addr port string string bool string | |
1397173680.295506 - - - - - dns_unmatched_msg - F bro | |
#close 2014-04-10-21-40-58 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#separator \x09 | |
#set_separator , | |
#empty_field (empty) | |
#unset_field - | |
#path x509 | |
#open 2014-04-10-21-40-58 | |
#fields ts id certificate.version certificate.serial certificate.subject certificate.issuer certificate.not_valid_before certificate.not_valid_after certificate.key_alg certificate.sig_alg certificate.key_type certificate.key_length certificate.exponent certificate.curve san.dns san.uri san.email san.ip basic_constraints.ca basic_constraints.path_len | |
#types time string count string string string time time string string string count string string vector[string] vector[string] vector[string] vector[addr] bool count | |
1397173671.818021 Fbe0Xz178NG1aHeiac 1 F60C39056AC1E9A9 CN=*.example.com. CN=*.example.com. 1397117048.000000 1428566648.000000 rsaEncryption sha1WithRSAEncryption rsa 1024 65537 - - - - - - - | |
#close 2014-04-10-21-40-58 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment