heartbleed patterns ?

[Carter Bullard]

Hey Mike,
If imap disconnects within 2 seconds, then grab short lived flows with
PCR approaching -1.0, and lots of dst bytes.  So they would be trying
to get a lot of buffers before imap killed the connection ??

In our PCR paper, we’ve got the mean imap PCR at -0.426.  We
only used ~100K connections, but the trend was good.  If imap
killed the connection you would get the FIN/RST coming from
the server, which would be odd.

Carter

On Apr 9, 2014, at 10:21 PM, mike tancsa <mike at sentex.ca> wrote:

> On 4/9/2014 5:57 PM, Carter Bullard wrote:
>> 
>> So, long lived connections, low source load values, after the
>> TLS handshake, and large dst byte counts for the memory dumps,
>> all in the clear.
> 
> Hi Carter,
> 	This seems to make sense.  I think the challenge is that this also describes established imap sessions-- it doesnt have to be https traffic no ?   Unfortunately, I only have argus records without any user content.
> 
> Thinking aloud, I wonder what the best way to compare imap and http logs to argus data.  Normal imap traffic for example would show up in the applications logs.  However, an attacker, would not, or would just show up as a connect.  Perhaps thats a start.  Look for all connect errors like
> 
> dovecot: imap-login: Disconnected (no auth attempts in 2 secs): user=<>, rip=64.x.x.x, lip=64.y.y.y, TLS handshaking: Disconnected
> 
> and see if there were any large flows for the connecting IP.
> 
> Hmmm, thats a lot of cross referencing :)
> 
> Unfortunately, apache does not seem to log such connections :(  I guess I would have to look a different way.  Find all the large connections in argus and look for corresponding httpd-log entries ?
> 
> 	---Mike
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20140409/e7e896a0/attachment.sig>