We here at Click Labs are pretty passionate about finding interesting patterns in data, especially when these patterns lead to finding a compromise or other interesting type of activity. In light of the recent Heartbleed announcement, we have been playing with data to see if we could find any patterns that might indicate attempts at using the Heartbleed vulnerability. Our restraints were: we could use only IDS signatures to verify findings, and we had to use data that we already had. We also tried to come up with a technique that would be applicable across several types of data and was not tied directly to a specific product (although we only used one source of data for our analysis).
For the basis of this analysis, we looked for a common Heartbleed pattern: significantly less information is sent to a server than is received. Most of the attacks reference a small heartbeat packet producing a response up to 64k. That’s a huge discrepancy that we can take advantage of.
Our first step was to see if our hunch was correct. We gathered a handful of PCAP files that contained known exploit attempts and made some basic observations. The following records are from a Bro connection log:
We can see there’s often less information sent (450, 233) vs. received (1971, 17871). This type of information is generally available via flow logs as well, meeting our requirement to not be tied to a specific product. The next step was gathering more information for bigger and better patterns.
3 million flow records of SSL traffic were gathered. That’s not a lot of records, but it seemed like a good number to start with. We narrowed the data down to records that were coming into the various organizations from external IPs. This left us with about 60,000 flows (ahh, the powers of data reduction). From the remaining data we removed six sessions that had 6 bytes sent and 0 bytes received, calculated the ratio of bytes sent to bytes received, calculated the ratio of packets sent to packets received, and then looked at the distribution of data.
Next we retrieved all the extreme outlying flows that had a smaller ratio, that is, flows that had significantly more bytes and packets received than sent.
This left us with 724 flows and 264 unique source IP addresses that could be exhibiting Heartbleed scanning. We grabbed PCAP data for all the suspect IPs in the list and ran those PCAPs through Snort with the signatures found at Emerging Threats and FOX IT. Out of our sample PCAPs, 263 hit on the Snort signatures we used. The full list of IPs we found exhibiting the suspicious behavior is available here: http://pastebin.com/KEX85PYk.
From an analysis perspective, we were able to narrow our scope from 3 million records to 724 by asking a few simple questions of the data. From that 724 (264 unique IPs) we were able to confirm 263 IP addresses were trying to take advantage of a recently disclosed vulnerability (via Snort signature fire). All with a few simple shell scripts, PCAP and flow data.
While far from a silver bullet for detection, this kind of procedure can help point you in the right direction before you update the rest of your detection infrastructure.