Wiki
Clone wikiaiengine / SSLHeartbeatsRuby
Detecting SSL Heartbeats
For detect the heartbeats of SSL we create two Regex objects linked, and we will assign a callback to the lastest.
require "../src/ruaiengine" def heartbeat_callback(flow) # The payload is on a ruby Array p = flow.payload if (p.length > 9) # Heartbeat minimum header if (p[7] > 1) printf "SSL Heartbeat leak on %s", flow.ip_src end end end
Create a Lan stack and a PacketDispatcher and link them. Also allocate the number of flows to process.
s = StackLan.new pd = PacketDispatcher.new pd.stack = s s.total_tcp_flows = 327680 s.total_udp_flows = 163840
Now wrote to Regex according to the SSL vulnerability of the heartbeats
# Heartbeat regex expression # 18 -> Content Type: Heartbeat # 0301, 0302 -> Version: TLS # xxxx -> Length # 01 - Heartbeat # xx - heartbeat payload length rbasic = Regex.new("SSL Basic regex","^\x16\x03") rheart = Regex.new("SSL Heartbeat","^.*\x18\x03(\x01|\x02|\x03).*$")
Assign a callback to the regex
rheart.callback = method(:heartbeat_callback)
Links with the previous Regex in order to evaluate the heartbeats just on SSL traffic.
rbasic.next_regex = rheart
Add the new linked Regex to a new RegexManager
rm = RegexManager.new rm.add_regex(rbasic)
Assign the RegexManager to the stack
s.tcp_regex_manager = rm
Enable the NIDS mode on the engine and run.
s.enable_nids_engine = true pd.open("ens7") begin pd.run() rescue => e print "Stop capturing packets" print e.inspect print e.backtrace end pd.close()
Updated