On Thu, Apr 10, 2014 at 9:52 AM, <Valdis.Kletnieks@vt.edu> wrote:
On Wed, 09 Apr 2014 11:07:36 +0100, Fabien Bourdaire said:
# Log rules iptables -t filter -A INPUT -p tcp --dport 443 -m u32 --u32 \ "52=0x18030000:0x1803FFFF" -j LOG --log-prefix "BLOCKED: HEARTBEAT"
That 52= isn't going to work if it's an IPv4 packet with an unexpected number IP or TCP options, or an IPv6 connection....
IPv6 wasn't mentioned here (that'd be ip6tables). But yeah, there might be some other shortcomings with the match. I think it's the right way to go - it just needs a bit of work (maybe a bm string match?). You're also going to deal with different versions (see ssl-heartbleed.nse for the breakdown). Though, I wonder if there are any other variations you might miss...