Created
April 11, 2014 06:11
-
-
Save sethhall/10443408 to your computer and use it in GitHub Desktop.
Bro Heartbleed detection using encrypted heartbeat messages. Trace from: http://blog.didierstevens.com/2014/04/10/heartbleed-packet-capture-full-tls/
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#separator \x09 | |
#set_separator , | |
#empty_field (empty) | |
#unset_field - | |
#path conn | |
#open 2014-04-11-02-09-00 | |
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents | |
#types time string addr port addr port enum string interval count count string bool count string count count count count set[string] | |
1397163796.404676 Cojr4LYR0U4FkAT2i 192.168.11.130 57534 192.168.11.128 443 tcp ssl 0.020171 463 51011 RSTO - 0 ShADadR 24 1635 41 53151 (empty) | |
#close 2014-04-11-02-09-00 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#separator \x09 | |
#set_separator , | |
#empty_field (empty) | |
#unset_field - | |
#path files | |
#open 2014-04-11-02-09-00 | |
#fields ts fuid tx_hosts rx_hosts conn_uids source depth analyzers mime_type filename duration local_orig is_orig seen_bytes total_bytes missing_bytes overflow_bytes timedout parent_fuid md5 sha1 sha256 extracted | |
#types time string set[addr] set[addr] set[string] string count set[string] string string interval bool bool count count count count bool string string string string string | |
1397163796.415064 FlAPMK1nz9E7HtckGi 192.168.11.128 192.168.11.130 Cojr4LYR0U4FkAT2i SSL 0 SHA1,MD5,X509 - - 0.000000 - F 865 - 0 0 F - 95dc373d2d1a89ae83dadf3dce7c6a46 a647803fcadbdbd7c4bb71ebc6ab88f8013c1397 - - | |
#close 2014-04-11-02-09-00 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#separator \x09 | |
#set_separator , | |
#empty_field (empty) | |
#unset_field - | |
#path notice | |
#open 2014-04-11-02-09-00 | |
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc proto note msg sub src dst p n peer_descr actions suppress_for dropped remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude | |
#types time string addr port addr port string string string enum enum string string addr addr port count string set[enum] interval bool string string string double double | |
1397163796.421778 Cojr4LYR0U4FkAT2i 192.168.11.130 57534 192.168.11.128 443 - - - tcp Heartbleed::SSL_Heartbeat_Encrypted_Attack_Success An Encrypted TLS heartbleed attack was probably detected! - 192.168.11.130 192.168.11.128 443 - bro Notice::ACTION_LOG 3600.000000 F - - - - - | |
#close 2014-04-11-02-09-00 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#separator \x09 | |
#set_separator , | |
#empty_field (empty) | |
#unset_field - | |
#path ssl | |
#open 2014-04-11-02-09-00 | |
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher server_name session_id last_alert established cert_chain_fuids client_cert_chain_fuids subject issuer client_subject client_issuer | |
#types time string addr port addr port string string string string string bool vector[string] vector[string] string string string string | |
1397163796.406496 Cojr4LYR0U4FkAT2i 192.168.11.130 57534 192.168.11.128 443 TLSv10 TLS_DHE_RSA_WITH_AES_256_CBC_SHA - - - F FlAPMK1nz9E7HtckGi (empty) - - - - | |
#close 2014-04-11-02-09-00 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#separator \x09 | |
#set_separator , | |
#empty_field (empty) | |
#unset_field - | |
#path x509 | |
#open 2014-04-11-02-09-00 | |
#fields ts id certificate.version certificate.serial certificate.subject certificate.issuer certificate.not_valid_before certificate.not_valid_after certificate.key_alg certificate.sig_alg certificate.key_type certificate.key_length certificate.exponent certificate.curve san.dns san.uri san.email san.ip basic_constraints.ca basic_constraints.path_len | |
#types time string count string string string time time string string string count string string vector[string] vector[string] vector[string] vector[addr] bool count | |
1397163796.415064 FlAPMK1nz9E7HtckGi 3 D2A88205D9BB4C40 O=Internet Widgits Pty Ltd,ST=Some-State,C=AU O=Internet Widgits Pty Ltd,ST=Some-State,C=AU 1397177946.000000 1428713946.000000 rsaEncryption sha1WithRSAEncryption rsa 2048 65537 - - - - - T - | |
#close 2014-04-11-02-09-00 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment