I think we've all read about the Heartbleed SSL/TLS Vulnerability by now. Getting an ExtraHop Discovery Edition appliance to detect attempts at exploiting this isn't difficult, and so I made a bundle to do just that. This bundle adds an AI Trigger to record whenever a TLS Heartbeat record is observed and to store the client IP and the Common Name from the x509 cert so you know where it came from and for what it was destined.
What you get
- Triggers (1): Heartbleed Detect
- Pages (1): Heartbleed
There are a few caveats of which to be aware: 1. DE can't detect vulnerable hosts if they're not talking - though this at least means they aren't actively being exploited! 2. DE can't detect what implementation of SSL/TLS is being used (OpenSSL, GnuTLS, etc), nor what version of the implementation. 3. The trigger doesn't detect whether the exploit attempt was successful - it merely sees that one was attempted.
- Download the bundle.
- In DE, import the bundle - the trigger and page will automatically be assigned where they need to be. Once some traffic matching the exploit is passed, an application named "Heartbleed" will show up.
- In the full product, import the bundle, then apply the trigger to whatever devices you'd like to monitor for exploit attempts for Heartbleed. Once some traffic matching the exploit is passed, an application named "Heartbleed" will show up. Then associate the page supplied by the bundle with that application.