cancel
Showing results for 
Search instead for 
Did you mean: 
shakira
Level 10

Can a custom version of the Default Rule "SSL Heartbleed Unencrypted Attack" be made?

Jump to solution

Is it possible to make a custom rule like this with HIPs? I guess a better question is... how do you make network rules like this? Is it possible? Or is this just a kevlar rule watching for microsoft's software finding these happening and then reporting them?

Message was edited by: shakira on 5/16/14 3:30:05 PM CDT
0 Kudos
1 Solution

Accepted Solutions
McAfee Employee

Re: Can a custom version of the Default Rule "SSL Heartbleed Unencrypted Attack" be made?

Jump to solution

Correct.  Signature 6058 SSL Heartbleed Unencrypted Attack is a Network IPS signature and NIPS signatures cannot be created within Host IPS. 

You may need to use the Network Security product (Intrushield).  I'm not sure if you can create a signature like this in that product though, but it's my first guess.

0 Kudos
4 Replies
fuzziest
Level 9

Re: Can a custom version of the Default Rule "SSL Heartbleed Unencrypted Attack" be made?

Jump to solution

You have Splunk running? I think one of our Splunk admins has a Splunk filter to look for Heartbleed attacks.

0 Kudos
shakira
Level 10

Re: Can a custom version of the Default Rule "SSL Heartbleed Unencrypted Attack" be made?

Jump to solution

What I'm asking is how you and I would make our own Heartbleed signature if we had the right information. And not jsut heartbleed, but any network rule with hips. I don't see the otpion to make these kind of custom rules anywhere in the hips gui.

0 Kudos
greatscott
Level 12

Re: Can a custom version of the Default Rule "SSL Heartbleed Unencrypted Attack" be made?

Jump to solution

i was under the impression we couldnt make custom NIPS signatures.

0 Kudos
McAfee Employee

Re: Can a custom version of the Default Rule "SSL Heartbleed Unencrypted Attack" be made?

Jump to solution

Correct.  Signature 6058 SSL Heartbleed Unencrypted Attack is a Network IPS signature and NIPS signatures cannot be created within Host IPS. 

You may need to use the Network Security product (Intrushield).  I'm not sure if you can create a signature like this in that product though, but it's my first guess.

0 Kudos