Using HP ArcSight to track and monitor Heartbleed vulnerability

I sat down with my technical engineer, Johnny Khoury, last week and asked him a bunch of questions regarding the Heartbleed bug. I thought you may have similar questions in your organization. Some of the questions were:


  • What is Heartbleed?
  • How and why is it dangerous?
  • How do we know we are hacked through that vulnerability?
  • Can we validate that we are not hacked?
  • How can we prove that we are monitoring?
  • How can HP ArcSight monitor and track this?
  • Are HP ArcSight customers safe?

His anwers were straight to the point and I blogged about some of my interpretation on this discussion earlier. After he showed me how easy it is to find if this is a threat with only few searches, I was convinced that this is simple and trackable problem. Comprehensive log management and running forensic investigation through simple queries using HP ArcSight can induce confidence into your IT environment. This is the summary of what he said and showed...


Heartbleed is a serious vulnerability in the popular OpenSSL cryptographic software library and it affects many web servers and applications. It is difficult to patch all web servers  immediately, so it is important to at least track and monitor the type of traffic being generated in your organization. Using the new and updated HP ArcSight Logger 5.5 super indexed fields, users can  leverage these fields for ultra-fast search and analyze the security events in real-time.


Let's look at a simple use case on "Who is talking to my web server on port: 443?"


Use Logger to determine the servers that are running 'HTTPS' protocol and understand the traffic that is being generated for a specific time--say three weeks since it was disclosed.  This search should give you analysis of the traffic generated. Search in English-like query by searching the 'destination port 443 users'. 


Using the most commonly used port: 443 for 'HTTPS' protocol, run a query against 443, using the following condition:


  • Top traffic being generated on port: 443

In this example, I want to get the top 10 grouping for source/ destination address and name of events and the outcome


destinationPort=443 |where src IS NOT NULL | top 10 name deviceVendor sourceAddress destinationAddress categoryOutcome


if I want to get more details I can drill down to the details of the events:


heartbleed 1.jpg


  • Drill down to the real events: Further drill down to the actual security events and logs


 heartbleed 2.jpg



  • Analyze rare events associated with the traffic on port: 443. List the search results in a tabular form of the least common values for the specified field. Simply modify the word 'top' with 'rare'


destinationPort=443 |where src IS NOT NULL | rare name deviceVendor sourceAddress destinationAddress categoryOutcome


heartbleed 3.jpg



  • Analyze the least common occurrence of events using 'tail'


destinationPort=443 |where src IS NOT NULL |chart count by  name deviceVendor sourceAddress destinationAddress categoryOutcome | tail 5


heartbleed 4.jpg


As you can see, you could use simple queries to run forensics to prove that you are either safe from Heartbleed or prove that you have been hacked through that vulnerability.

Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Showing results for 
Search instead for 
Do you mean 
About the Author

Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.