Created
April 13, 2014 03:58
-
-
Save sethhall/10568550 to your computer and use it in GitHub Desktop.
Bro Heartbleed detection using another evasion PCAP from @erratarob (https://twitter.com/erratarob/status/455184562549583872)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#separator \x09 | |
#set_separator , | |
#empty_field (empty) | |
#unset_field - | |
#path conn | |
#open 2014-04-12-23-52-22 | |
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p proto service duration orig_bytes resp_bytes conn_state local_orig missed_bytes history orig_pkts orig_ip_bytes resp_pkts resp_ip_bytes tunnel_parents | |
#types time string addr port addr port enum string interval count count string bool count string count count count count set[string] | |
1397349488.146539 CgiXSR3iafr2IvmXH8 96.25.174.16 12929 107.170.194.215 443 tcp ssl 4.071024 606 72872 S1 - 0 ShADad 39 2322 57 75164 (empty) | |
#close 2014-04-12-23-52-22 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#separator \x09 | |
#set_separator , | |
#empty_field (empty) | |
#unset_field - | |
#path files | |
#open 2014-04-12-23-52-22 | |
#fields ts fuid tx_hosts rx_hosts conn_uids source depth analyzers mime_type filename duration local_orig is_orig seen_bytes total_bytes missing_bytes overflow_bytes timedout parent_fuid md5 sha1 sha256 extracted | |
#types time string set[addr] set[addr] set[string] string count set[string] string string interval bool bool count count count count bool string string string string string | |
1397349488.805462 FIUsK4nYZ2xSTBEmc 107.170.194.215 96.25.174.16 CgiXSR3iafr2IvmXH8 SSL 0 SHA1,X509,MD5 - - 0.000000 - F 1329 - 0 0 F - 3680cd3b4a21ed7e025395bf65f7c93e b1ea109f8cc4e2c61ae820b0977c49caf31fd6dd - - | |
1397349488.805462 FQmRcQ22FtTT1muIj6 107.170.194.215 96.25.174.16 CgiXSR3iafr2IvmXH8 SSL 0 SHA1,X509,MD5 - - 0.000000 - F 1287 - 0 0 F - b51a6d2d44cc72d6c62a1b975a183d91 73820a20f8f47a457cd0b54cc4e4e31cefa5c1e7 - - | |
1397349488.805462 FRfk4q1rq5kGVb4DNg 107.170.194.215 96.25.174.16 CgiXSR3iafr2IvmXH8 SSL 0 SHA1,X509,MD5 - - 0.000000 - F 1199 - 0 0 F - c71ed879914c01aceded00304c47f0e4 4e154acb683efd5578001432b92afe896812b85e - - | |
1397349488.805462 FSCRnq1s9hDCMr7lZ 107.170.194.215 96.25.174.16 CgiXSR3iafr2IvmXH8 SSL 0 SHA1,X509,MD5 - - 0.000000 - F 1194 - 0 0 F - 55070f1f9ae5ea2161f3722b8b417f27 9e99817d12280c9677674430492eda1dce2e4c63 - - | |
1397349488.805462 FzpY4646MVjRBqRn2f 107.170.194.215 96.25.174.16 CgiXSR3iafr2IvmXH8 SSL 0 SHA1,X509,MD5 - - 0.000000 - F 1082 - 0 0 F - 1d3554048578b03f42424dbf20730a3f 02faf3e291435468607857694df5e45b68851868 - - | |
#close 2014-04-12-23-52-22 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#separator \x09 | |
#set_separator , | |
#empty_field (empty) | |
#unset_field - | |
#path notice | |
#open 2014-04-12-23-52-22 | |
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p fuid file_mime_type file_desc proto note msg sub src dst p n peer_descr actions suppress_for dropped remote_location.country_code remote_location.region remote_location.city remote_location.latitude remote_location.longitude | |
#types time string addr port addr port string string string enum enum string string addr addr port count string set[enum] interval bool string string string double double | |
1397349491.330629 CgiXSR3iafr2IvmXH8 96.25.174.16 12929 107.170.194.215 443 - - - tcp Heartbleed::SSL_Heartbeat_Encrypted_Attack_Success An Encrypted TLS heartbleed attack was probably detected! - 96.25.174.16 107.170.194.215 443 - bro Notice::ACTION_LOG 3600.000000 F - - - - - | |
#close 2014-04-12-23-52-22 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#separator \x09 | |
#set_separator , | |
#empty_field (empty) | |
#unset_field - | |
#path ssl | |
#open 2014-04-12-23-52-22 | |
#fields ts uid id.orig_h id.orig_p id.resp_h id.resp_p version cipher server_name session_id last_alert established cert_chain_fuids client_cert_chain_fuids subject issuer client_subject client_issuer | |
#types time string addr port addr port string string string string string bool vector[string] vector[string] string string string string | |
1397349488.540207 CgiXSR3iafr2IvmXH8 96.25.174.16 12929 107.170.194.215 443 TLSv12 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - - - F FIUsK4nYZ2xSTBEmc,FQmRcQ22FtTT1muIj6,FRfk4q1rq5kGVb4DNg,FSCRnq1s9hDCMr7lZ,FzpY4646MVjRBqRn2f (empty) - - - - | |
#close 2014-04-12-23-52-22 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#separator \x09 | |
#set_separator , | |
#empty_field (empty) | |
#unset_field - | |
#path x509 | |
#open 2014-04-12-23-52-22 | |
#fields ts id certificate.version certificate.serial certificate.subject certificate.issuer certificate.not_valid_before certificate.not_valid_after certificate.key_alg certificate.sig_alg certificate.key_type certificate.key_length certificate.exponent certificate.curve san.dns san.uri san.email san.ip basic_constraints.ca basic_constraints.path_len | |
#types time string count string string string time time string string string count string string vector[string] vector[string] vector[string] vector[addr] bool count | |
1397349488.805462 FIUsK4nYZ2xSTBEmc 3 4A41A41DCF8D24618BA94B3D61995CC4 CN=cloudflarechallenge.com,OU=Free SSL,OU=Domain Control Validated CN=EssentialSSL CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB 1397102400.000000 1404964799.000000 rsaEncryption sha1WithRSAEncryption rsa 2048 65537 - cloudflarechallenge.com,www.cloudflarechallenge.com - - - F - | |
1397349488.805462 FQmRcQ22FtTT1muIj6 3 18B2CBBAA304F1A00FC1F2F326462A4A CN=EssentialSSL CA,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB CN=COMODO Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB 1164949200.000000 1577854799.000000 rsaEncryption sha1WithRSAEncryption rsa 2048 65537 - - - - - T 0 | |
1397349488.805462 FRfk4q1rq5kGVb4DNg 3 2E79832E908887EA8B8EF31A6EE67A44 CN=COMODO Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater Manchester,C=GB CN=UTN - DATACorp SGC,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US 1164949200.000000 1590850118.000000 rsaEncryption sha1WithRSAEncryption rsa 2048 65537 - - - - - T - | |
1397349488.805462 FSCRnq1s9hDCMr7lZ 3 46EAF096054CC5E3FA65EA6E9F42C664 CN=UTN - DATACorp SGC,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE 1118146150.000000 1590850118.000000 rsaEncryption sha1WithRSAEncryption rsa 2048 65537 - - - - - T - | |
1397349488.805462 FzpY4646MVjRBqRn2f 3 01 CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust AB,C=SE 959698118.000000 1590850118.000000 rsaEncryption sha1WithRSAEncryption rsa 2048 65537 - - - - - T - | |
#close 2014-04-12-23-52-22 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment