SERVER-OTHER OpenSSL OCSP Status Request Extension denial of service attempt
This alert is triggered when identifying an attempt to exploit CVE-2016-6304, a denial of service vulnerability. this is indicated by a high volume of OCSP (Online Certificate Status Protocol) requests sent to an internal server over HTTP.
ID Number
40360
Signature
alert tcp $EXTERNAL_NET any -> $HOME_NET $HTTP_PORTS (msg:"SERVER-OTHER OpenSSL OCSP Status Request Extension denial of service attempt"; flow:to_server,established,no_stream; content:"Content-Type: application/ocsp-request"; fast_pattern:only; detection_filter:track by_src, count 100, seconds 10; metadata:policy max-detect-ips drop, service http; reference:cve,2016-6304; reference:url,www.openssl.org/news/secadv/20160922.txt; classtype:attempted-dos; sid:40360; rev:4;)
Severity
High
Recommendations/Investigative actions
Identify the source of the OCSP requests to determine if they are authorized or potentially malicious.
Block excessive OCSP traffic.
Follow vendor advisory to mitigate the vulnerability by updating OpenSSL version, see: https://openssl-library.org/news/secadv/20160922.txt