Detecting SSL Heartbeats

For detect the heartbeats of SSL we create two Regex objects linked, and we will assign a callback to the lastest.

require "../src/ruaiengine"

def heartbeat_callback(flow)

    # The payload is on a ruby Array
    p = flow.payload
    if (p.length > 9)
        # Heartbeat minimum header
        if (p[7] > 1)
            printf "SSL Heartbeat leak on %s", flow.ip_src
        end
    end
end

Create a Lan stack and a PacketDispatcher and link them. Also allocate the number of flows to process.

s = StackLan.new
pd = PacketDispatcher.new
pd.stack = s

s.total_tcp_flows = 327680
s.total_udp_flows = 163840

Now wrote to Regex according to the SSL vulnerability of the heartbeats

# Heartbeat regex expression
# 18 -> Content Type: Heartbeat
#    0301, 0302 -> Version: TLS
#    xxxx -> Length
#    01 - Heartbeat
#    xx - heartbeat payload length

rbasic = Regex.new("SSL Basic regex","^\x16\x03")
rheart = Regex.new("SSL Heartbeat","^.*\x18\x03(\x01|\x02|\x03).*$")

Assign a callback to the regex

rheart.callback = method(:heartbeat_callback)

Links with the previous Regex in order to evaluate the heartbeats just on SSL traffic.

rbasic.next_regex = rheart

Add the new linked Regex to a new RegexManager

rm = RegexManager.new

rm.add_regex(rbasic)

Assign the RegexManager to the stack

s.tcp_regex_manager = rm

Enable the NIDS mode on the engine and run.

s.enable_nids_engine = true

pd.open("ens7")
begin
    pd.run()
rescue => e
    print "Stop capturing packets"
    print e.inspect
    print e.backtrace
end

pd.close()