How to Create a Custom Report for Heartbleed (CVE-2014-0160) Attacks

Steps

1. Go to Monitor > Custom Reports and click New
2. Enter a Name for the report and configure the following values:
   • Database: Threat Summary
   • Time Frame: Last 24 Hrs
     
      
3. Select the columns to be displayed in the report, as needed.
4. Under Query Builder, configure the following query:

   "(threatid eq 36416) or (threatid eq 36418) or (threatid eq 40039)"

Note: In this last snapshot, the Time Frame has been changed to Last Calendar Day because Scheduled was enabled.

The following is a description of the three threat ID numbers:

• 36416: OpenSSL TLS Heartbeat Information Disclosure Vulnerability - Heartbleed
  This signature analyzes the request and response lengths to look for abnormalities.  This does require the server to be vulnerable, due to the data that this signature analyzes and compares.  It is effective against a single "probe", meaning it does not need bulk requests to trigger.
• 40039: OpenSSL TLS Heartbeat Brute Force - Heartbleed
  This signature triggers on a high rate of heartbeat requests.  This does NOT require that the server be vulnerable, because it is only looking at client-side, however it does require multiple heartbeat requests indicative of a more "real world" attack, so a single "test probe" will not trigger the signature.
• 36418: OpenSSL TLS Malformed Heartbeat Response Found - Heartbleed
  This signature triggers on a malformed server response.  This does require the server to be vulnerable, due to the data that this signature analyzes and compares.  It is effective against a single "probe", meaning it does not need bulk requests to trigger.

owner: jjosephs