On Thu, 10 Apr 2014 11:39:45 Eliezer Croitoru wrote:
If it's a custom software that is vulnerable I think that the exploit can be blocked using couple iptables u32 rules but I am not sure how to do that.(connection marking and phases of the connection)
Some iptables and wireshark rules from Bugtraq: http://seclists.org/bugtraq/2014/Apr/44 # Log rules iptables -t filter -A INPUT -p tcp --dport 443 -m u32 --u32 \ "52=0x18030000:0x1803FFFF" -j LOG --log-prefix "BLOCKED: HEARTBEAT" # Block rules iptables -t filter -A INPUT -p tcp --dport 443 -m u32 --u32 \ "52=0x18030000:0x1803FFFF" -j DROP # Wireshark rules $ tshark -i interface port 443 -R 'frame[68:1] == 18' $ tshark -i interface port 443 -R 'ssl.record.content_type == 24' -- Jean-Francois Pirus | Technical Manager francois(a)clearfield.com | Mob +64 21 640 779 | DDI +64 9 282 3401 Clearfield Software Ltd | Ph +64 9 358 2081 | www.clearfield.com