Automating Heartbleed Bug Check From Cisco ASA Capture Data

In a previous post I outlined how to capture specific port traffic, in this case HTTPS, on the Cisco ASA. This post is dedicated to parsing the data from the ASCII capture and running the Heartbleed check on it. The file looks similar to the following; here are the first few lines:

   1: 10:02:33.299819 192.168.1.35.52528 > 74.125.228.5.443: P 4164465901:41644
66282(381) ack 768563964 win 64860
   2: 10:02:33.326780 192.168.1.35.52528 > 74.125.228.5.443: P 4164466282:41644
66944(662) ack 768564010 win 64814
   3: 10:02:33.444724 192.168.1.35.52528 > 74.125.228.5.443: . ack 768566594 wi
n 64860

The easiest way for me to parse this is by using awk to give me the fifth column of data. cut wasn’t working for me (for some reason). Parse capture file and give unique results and tidy the IP addresses up (stripping port number from end):

root@xyzzy:~# cat heartbleed.cap  | awk '{print $5}'|sort -rn | uniq | sed -e 's/.443.*//g'

Now I’m left with 4 unique IP addresses out of the 7400+ packets captured.

199.59.150.7
93.184.216.146
74.125.228.5
192.168.1.1

Now, I can run these IPs through the Heartbleed test provided by Filippo

root@xyzzy:~# /opt/go/bin/bin/Heartbleed 199.59.150.7:443
2014/04/16 10:15:01 199.59.150.7:443 - SAFE

To automate this, I can simply wrap this in a loop in a bash script:

#!/bin/bash
while read s; do
        /opt/go/bin/bin/Heartbleed $s:443
done < heartbleed.cap

#Cisco