heartbleed patterns ?

Matt Brown matthewbrown at gmail.com
Thu Apr 10 17:58:13 EDT 2014 

Carter,

Hope all is well.

I see the presentation (
https://www.cert.org/flocon/proceedings/Bullard%20%26%20Gerth-PCR-20140121.pdf)
but can't find the paper.  Is it available to the public?


Thanks,

Matt




On Wed, Apr 9, 2014 at 11:15 PM, Carter Bullard <carter at qosient.com> wrote:

> Hey Mike,
> If imap disconnects within 2 seconds, then grab short lived flows with
> PCR approaching -1.0, and lots of dst bytes.  So they would be trying
> to get a lot of buffers before imap killed the connection ??
>
> In our PCR paper, we've got the mean imap PCR at -0.426.  We
> only used ~100K connections, but the trend was good.  If imap
> killed the connection you would get the FIN/RST coming from
> the server, which would be odd.
>
> Carter
>
> On Apr 9, 2014, at 10:21 PM, mike tancsa <mike at sentex.ca> wrote:
>
> > On 4/9/2014 5:57 PM, Carter Bullard wrote:
> >>
> >> So, long lived connections, low source load values, after the
> >> TLS handshake, and large dst byte counts for the memory dumps,
> >> all in the clear.
> >
> > Hi Carter,
> >       This seems to make sense.  I think the challenge is that this also
> describes established imap sessions-- it doesnt have to be https traffic no
> ?   Unfortunately, I only have argus records without any user content.
> >
> > Thinking aloud, I wonder what the best way to compare imap and http logs
> to argus data.  Normal imap traffic for example would show up in the
> applications logs.  However, an attacker, would not, or would just show up
> as a connect.  Perhaps thats a start.  Look for all connect errors like
> >
> > dovecot: imap-login: Disconnected (no auth attempts in 2 secs): user=<>,
> rip=64.x.x.x, lip=64.y.y.y, TLS handshaking: Disconnected
> >
> > and see if there were any large flows for the connecting IP.
> >
> > Hmmm, thats a lot of cross referencing :)
> >
> > Unfortunately, apache does not seem to log such connections :(  I guess
> I would have to look a different way.  Find all the large connections in
> argus and look for corresponding httpd-log entries ?
> >
> >       ---Mike
> >
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20140410/a3c2835a/attachment.html>

More information about the argus mailing list