University Research Team Tests Detection Signatures for Heartbleed in Forensics Cloud

21/04/2014

News image
The research team at Edinburgh Napier have been using a unique Forensic Cloud to analyse the Heartbleed vulnerability. For this they have produced a number of reports, including demonstrating a real-life attack, and also to capture live network traffic.

They have also been analysing the Intrusion Detection System (IDS) signatures, in order to determine if they work in real life systems. The IDS system used is Snort, which is an open-source program, and is widely used in industry. The analysis is at:

http://www.asecuritysite.com/forensics/snort?fname=heart.pcap&rulesname=heart2.rules

The traffic detector is at:

http://asecuritysite.com/forensics/pcap?infile=heart.pcap

and the results of the rules are at:

alert.ids:
 [**] [1:21001128:5] FOX-SRT - Suspicious - TLSv1.1 Large Heartbeat Response [**] [Priority: 0] 04/16-12:00:41.513086 172.16.121.150:443 -> 172.16.121.1:64667 TCP TTL:64 TOS:0x0 ID:48932 IpLen:20 DgmLen:1500 DF ***A**** Seq: 0xD23B4BD2 Ack: 0xEEE0A518 Win: 0xEB TcpLen: 32 TCP Options (3) => NOP NOP TS: 2422864 712154808 [Xref => cve 2014-0160]

[**] [1:21001131:5] FOX-SRT - Suspicious - TLS-SSL Large Heartbeat Response [**] [Priority: 0] 04/16-12:00:41.513086 172.16.121.150:443 -> 172.16.121.1:64667 TCP TTL:64 TOS:0x0 ID:48932 IpLen:20 DgmLen:1500 DF ***A**** Seq: 0xD23B4BD2 Ack: 0xEEE0A518 Win: 0xEB TcpLen: 32 TCP Options (3) => NOP NOP TS: 2422864 712154808 [Xref => cve 2014-0160]

for the rules set of:

# FOX-SRT rules
alert tcp any [!80,!445] -> any [!80,!445] (msg:"FOX-SRT - Suspicious - SSLv3 Large Heartbeat Response"; flow:established; content:"|18 03 00|"; depth:3; byte_test:2,>,200,3; byte_test:2,<,16409,3; threshold:type limit, track by_src, count 1, seconds 600; reference:cve,2014-0160;  sid: 21001126; rev:5;)
alert tcp any [!80,!445] -> any [!80,!445] (msg:"FOX-SRT - Suspicious - TLSv1 Large Heartbeat Response"; flow:established; content:"|18 03 01|"; depth:3; byte_test:2,>,200,3; byte_test:2,<,16409,3; threshold:type limit, track by_src, count 1, seconds 600; reference:cve,2014-0160;  sid: 21001127; rev:5;)
alert tcp any [!80,!445] -> any [!80,!445] (msg:"FOX-SRT - Suspicious - TLSv1.1 Large Heartbeat Response"; flow:established; content:"|18 03 02|"; depth:3; byte_test:2,>,200,3; byte_test:2,<,16409,3; threshold:type limit, track by_src, count 1, seconds 600; reference:cve,2014-0160;  sid: 21001128; rev:5;)
alert tcp any [!80,!445] -> any [!80,!445] (msg:"FOX-SRT - Suspicious - TLSv1.2 Large Heartbeat Response"; flow:established; content:"|18 03 03|"; depth:3; byte_test:2,>,200,3; byte_test:2,<,16409,3; threshold:type limit, track by_src, count 1, seconds 600; reference:cve,2014-0160;  sid: 21001129; rev:5;)
alert tcp any any -> any any (msg:"FOX-SRT - Flowbit - TLS-SSL Client Hello"; flow:established; dsize:< 500; content:"|16 03|"; depth:2; byte_test:1, <=, 2, 3; byte_test:1, !=, 2, 1; content:"|01|"; offset:5; depth:1; content:"|03|"; offset:9; byte_test:1, <=, 3, 10; byte_test:1, !=, 2, 9; content:"|00 0f 00|"; flowbits:set,foxsslsession; flowbits:noalert; threshold:type limit, track by_src, count 1, seconds 60; reference:cve,2014-0160;  sid: 21001130; rev:9;)
alert tcp any any -> any any (msg:"FOX-SRT - Suspicious - TLS-SSL Large Heartbeat Response"; flow:established; flowbits:isset,foxsslsession; content:"|18 03|"; depth: 2; byte_test:1, <=, 3, 2; byte_test:1, !=, 2, 1; byte_test:2, >, 200, 3; threshold:type limit, track by_src, count 1, seconds 600; reference:cve,2014-0160;  sid: 21001131; rev:5;)


These tests have thus validated the first set of signatures, and can be used on live systems. The developed site also allow system administrators the opportunity to test their IDS signatures, on real-life threat traffic. The full details of the analysis is here and here.
 
[Read More]

Associated people

William Buchanan
Director of CDCS
w.buchanan@napier.ac.uk
+44 131 455 2759
Richard Macfarlane
Lecturer
r.macfarlane@napier.ac.uk
+44 131 455 2335
Lu Fan
Senior Research Fellow
l.fan@napier.ac.uk
+44 131 455 2438
Bruce Ramsay
Senior Research Fellow
B.Ramsay@napier.ac.uk
+44 131 455 2746
Dynamic Forensics Evaluation and Training (DFET)
Dynamic Forensics Evaluation and Training (DFET) will create new training methods/techniques to support judicial authorities, law enforcement agencies and associated stakeholders in the fight against cybercrime through the development of a virtual (cloud-based) cybercrime training environment to...
Cyber-Security
Electronic information now plays a vital role in almost every aspect of our daily lives. So the need for a secure and trustworthy online infrastructure is more important than ever. without it, not only the growth of the internet but our personal interactions and the economy itself could be at risk.

Resources