heartbleed patterns ?

Carter Bullard carter at qosient.com
Thu Apr 10 18:04:50 EDT 2014 

Hey Matt,
No paper, just the presentation.  Its pretty good.
Do you need some dialog to go with it ??

Ask a few questions, if there is something missing !!!

Carter

On Apr 10, 2014, at 5:58 PM, Matt Brown <matthewbrown at gmail.com> wrote:

> Carter,
> 
> Hope all is well.
> 
> I see the presentation (https://www.cert.org/flocon/proceedings/Bullard%20%26%20Gerth-PCR-20140121.pdf) but can't find the paper.  Is it available to the public?
> 
> 
> Thanks,
> 
> Matt
> 
> 
> 
> 
> On Wed, Apr 9, 2014 at 11:15 PM, Carter Bullard <carter at qosient.com> wrote:
> Hey Mike,
> If imap disconnects within 2 seconds, then grab short lived flows with
> PCR approaching -1.0, and lots of dst bytes.  So they would be trying
> to get a lot of buffers before imap killed the connection ??
> 
> In our PCR paper, we’ve got the mean imap PCR at -0.426.  We
> only used ~100K connections, but the trend was good.  If imap
> killed the connection you would get the FIN/RST coming from
> the server, which would be odd.
> 
> Carter
> 
> On Apr 9, 2014, at 10:21 PM, mike tancsa <mike at sentex.ca> wrote:
> 
> > On 4/9/2014 5:57 PM, Carter Bullard wrote:
> >>
> >> So, long lived connections, low source load values, after the
> >> TLS handshake, and large dst byte counts for the memory dumps,
> >> all in the clear.
> >
> > Hi Carter,
> >       This seems to make sense.  I think the challenge is that this also describes established imap sessions-- it doesnt have to be https traffic no ?   Unfortunately, I only have argus records without any user content.
> >
> > Thinking aloud, I wonder what the best way to compare imap and http logs to argus data.  Normal imap traffic for example would show up in the applications logs.  However, an attacker, would not, or would just show up as a connect.  Perhaps thats a start.  Look for all connect errors like
> >
> > dovecot: imap-login: Disconnected (no auth attempts in 2 secs): user=<>, rip=64.x.x.x, lip=64.y.y.y, TLS handshaking: Disconnected
> >
> > and see if there were any large flows for the connecting IP.
> >
> > Hmmm, thats a lot of cross referencing :)
> >
> > Unfortunately, apache does not seem to log such connections :(  I guess I would have to look a different way.  Find all the large connections in argus and look for corresponding httpd-log entries ?
> >
> >       ---Mike
> >
> 
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20140410/df9467fc/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <https://pairlist1.pair.net/pipermail/argus/attachments/20140410/df9467fc/attachment.sig>

More information about the argus mailing list