Do not rely on those iptables rules. They are fragile at best and trivially evaded. It is not safe to assume that the marker will appear at a specific position in the packet (this is a *bad* way to even attempt stateful inspection). I don't know a damn thing about Wireshark syntax, but it could easily be making the same mistake.
If someone desperately needs to determine if their implementation is vulnerable or not, while it's not authoritatively incriminating, the vast majority of implementations either have the heartbeat function enabled _and vulnerable_ or it's not enabled because (the library doesn't understand it|the maintainers turned it off). Using a *version of openssl that understands TLS heartbeat*--because the heartbeat extension won't show up otherwise--you can always do the following: openssl s_client -connect suckerhost:443 -tlsextdebug 2>&1 | grep ext . If you see the heartbeat extension show up in the list at all, it's probably safe to assume the host in question is vulnerable.. myname@SHEOGORATH ~ $ openssl s_client -connect gmail.com:443 -tlsextdebug 2>&1 | grep ext TLS server extension "renegotiation info" (id=65281), len=1 TLS server extension "EC point formats" (id=11), len=4 TLS server extension "session ticket" (id=35), len=0 Not there. On Wed, Apr 9, 2014 at 2:11 PM, Wesley Duffee-Braun <[email protected]>wrote: > Hi all, > > Just to follow up on this - if you have any customers (or yourself!) who > are running appliances that can't be easily patched, you can use the > following to help secure your environment: > > IPTABLES rules to log and drop heartbleed requests: > http://seclists.org/bugtraq/2014/Apr/44 > NMAP script to identify vulnerable hosts: > https://svn.nmap.org/nmap/scripts/ssl-heartbleed.nse > > > - Wesley > > > > On Tue, Apr 8, 2014 at 12:14 PM, John R. Dennison <[email protected]>wrote: > >> On Tue, Apr 08, 2014 at 11:57:49AM -0500, Blake Dunlap wrote: >> > Part of it is they didn't actually fix the bug, they just disabled the >> > vulnerable feature. >> >> The Red Hat update is a patch to remove the info disclosure, as far as I >> know going bu their changelog / RHSA and discussion with Red Hatters on >> IRC. >> >> >> >> >> >> John >> -- >> "GUIs let people who don’t understand the technology think that they are >> capable of managing it." >> >> -- http://lamejournal.com/2013/11/06/why-wont-have-a-job-in-5-years/ >> > > > > -- > http://www.wesleyduffeebraun.com > <http://www.ashevillephotobooth.com> > > -- > -- > You received this message because you are subscribed to the Google Groups > "NLUG" group. > To post to this group, send email to [email protected] > To unsubscribe from this group, send email to > [email protected] > For more options, visit this group at > http://groups.google.com/group/nlug-talk?hl=en > > --- > You received this message because you are subscribed to the Google Groups > "NLUG" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. > -- Sent from an actual computer. -- -- You received this message because you are subscribed to the Google Groups "NLUG" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/nlug-talk?hl=en --- You received this message because you are subscribed to the Google Groups "NLUG" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
