Depending on how you have your policies setup (which rule sets they are using), the signature may or may not be automatically added to your policy. To ensure it is in your policy, just open the policy editor and check for the presense of the UDS signature. (Policy | Intrusion Prevention | IPS Policies)
You can then open the signature and set it to block or packet capture or whatever. Settings for what a signature does is policy specific, not signature specific.
In our case I enabled the packet capture option because we have SSL decrption, so I would be able to see what the attacker was able to get from heartbeat, if anything.
Whats can i see in the packet which trigger for "UD-SSL: OpenSSL TLS DTLS Heartbeat Extension Packets Information Disclosure" . The target servers are not vulnerable but signature is matching for network traffic. When looking at the packet in wireshark it looks a normal SSL conenction.
what could be the difference between normal SSL conection Vs OpenSSL heartbeat extension.
is there any signature which can give exploitation of the heartbeat than just information disclosure. Trying to minimize the false positive.
Thanks in Advance
In MVM , Manage -> FASL Scripts, I reviewed the "OpenSSL TLS DTLS Heartbeat Extension Packets Information Disclosure" and in "View Script" I found some statement as follows:
FASL.vulnID = 16505;
FASL.attackType = ATTACK_NONINTRUSIVE;
FASL.os = OS_ANY;
FASL.protocol = PROTOCOL_TCP;
FASL.filters = [ 443, 465, 990, 993, 994, 995, 563, 636, 992, 3713, 5061, 6514, 10161, 10162 ];
Does "FASL.filters" mean this check will only checkTCP ports in the group of "443, 465, 990, 993, 994, 995, 563, 636, 992, 3713, 5061, 6514, 10161, 10162"? Or this check will cheking based on the IPs specified in MVM, Settings -> Services -> TCP Scanning?