Is there a way for one to check some of internal services against CVE - CVE-2014-0160 (preferably using openssl CLI)?

I CANNOT test everything just by using: Test your server for Heartbleed (CVE-2014-0160).

  • 12,342
  • 27
  • 115
  • 173
  • 1
    The FAQ on his site (http://filippo.io/Heartbleed/faq.html) mentions that he published a CLI version of it on github. – faker Apr 09 '14 at 17:35

4 Answers4


You could try:

openssl s_client -connect domain.com:443 -tlsextdebug 2>&1 | grep 'server extension "heartbeat" (id=15)' || echo safe

From https://devcentral.f5.com/questions/openssl-and-heart-bleed-vuln

  • 24,204
  • 8
  • 77
  • 99
  • 415
  • 5
  • 17
  • 1
    I'm not so sure about that. It certainly tells you if TLS heartbeat is enabled, and says "safe" if it's not - but just because TLS heartbeat is enabled, that doesn't make a server vulnerable. So this is a good technique for rapidly crossing off all the easy cases from your list of servers-you-might-have-to-patch, but it gives a lot of false positives. – MadHatter Apr 10 '14 at 07:19

You can use this script for example: http://rehmann.co/projects/heartbeat/ssltest.py

  • 11,008
  • 4
  • 30
  • 58

Here are several local Heartbleed vulnerability detectors/checkers:

titanous on github appears to still be under active development, and titanous also released Go programming code for Heartbleed detection, had better messages than Filippo as of this morning, and was last updated 32 minutes ago. It appears to be under the Go license, though I didn't do a full comparison; similar to a BSD 3 clause license.

musalbas on github released the Python program "ssltest.py", a variant of the code @MichelZ's answer links to that's modified to do large lists at a time, no license listed. Musalbas also released lists of the results of scanning the top 100, 1000, 10000, and 1 million Internet sites as of about 5 hours ago.

Filippo.io was one of the first Web sites, and they released their code on github with an MIT license (Go programming language).

Codenomicon Defensics appears to do detect Heartbleed as well.

Lekensteyn of course released the pacemaker python client checker, modified a few hours ago, as well as the original Stafford version of ssltest.py. No specific license is listed.

Metasploit is also gaining Heartbleed tests very rapidly, including both the server check linked here and a client check from @HDMoore and @Lekensteyn

Additionally, you may want to get some automatic attack detection and interruption by installing new Snort rules from indicators of realtime compromise, as the attack can go both ways (your client can be attacked, too, if it's vulnerable). This doesn't tell you if someone else has attacked the website in the past, but it might tell you if someone's attacking you right now.

  • alert tcp any [!80,!445] -> any [!80,!445] (msg:"FOX-SRT - Suspicious - SSLv3 Large Heartbeat Response"; flow:established,to_client; content:"|18 03 00|"; depth: 3; byte_test:2, >, 200, 3, big; byte_test:2, <, 16385, 3, big; threshold:type limit, track by_src, count 1, seconds 600; reference:cve,2014-0160; classtype:bad-unknown; sid: 1000000; rev:4;)

  • alert tcp any [!80,!445] -> any [!80,!445] (msg:"FOX-SRT - Suspicious - TLSv1 Large Heartbeat Response"; flow:established,to_client; content:"|18 03 01|"; depth: 3; byte_test:2, >, 200, 3, big; byte_test:2, <, 16385, 3, big; threshold:type limit, track by_src, count 1, seconds 600; reference:cve,2014-0160; classtype:bad-unknown; sid: 1000001; rev:4;)

  • alert tcp any [!80,!445] -> any [!80,!445] (msg:"FOX-SRT - Suspicious - TLSv1.1 Large Heartbeat Response"; flow:established,to_client; content:"|18 03 02|"; depth: 3; byte_test:2, >, 200, 3, big; byte_test:2, <, 16385, 3, big; threshold:type limit, track by_src, count 1, seconds 600; reference:cve,2014-0160; classtype:bad-unknown; sid: 1000002; rev:4;)

  • alert tcp any [!80,!445] -> any [!80,!445] (msg:"FOX-SRT - Suspicious - TLSv1.2 Large Heartbeat Response"; flow:established,to_client; content:"|18 03 03|"; depth: 3; byte_test:2, >, 200, 3, big; byte_test:2, <, 16385, 3, big; threshold:type limit, track by_src, count 1, seconds 600; reference:cve,2014-0160; classtype:bad-unknown; sid: 1000003; rev:4;)

Please also thank snort.org for releasing a set of Heartbleed detection rules that would normally have been only in their VRT (paid subscription) rule list for the first 30 days before going to the community:

  • alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"SERVER-OTHER OpenSSL SSLv3 heartbeat read overrun attempt"; flow:to_server,established; content:"|18 03 00|"; depth:3; dsize:>40; detection_filter:track by_src, count 3, seconds 1; metadata:policy balanced-ips drop, policy security-ips drop, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30510; rev:2;)

  • alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"SERVER-OTHER OpenSSL TLSv1 heartbeat read overrun attempt"; flow:to_server,established; content:"|18 03 01|"; depth:3; dsize:>40; detection_filter:track by_src, count 3, seconds 1; metadata:policy balanced-ips drop, policy security-ips drop, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30511; rev:2;)

  • alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"SERVER-OTHER OpenSSL TLSv1.1 heartbeat read overrun attempt"; flow:to_server,established; content:"|18 03 02|"; depth:3; dsize:>40; detection_filter:track by_src, count 3, seconds 1; metadata:policy balanced-ips drop, policy security-ips drop, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30512; rev:2;)

  • alert tcp $EXTERNAL_NET any -> $HOME_NET 443 (msg:"SERVER-OTHER OpenSSL TLSv1.2 heartbeat read overrun attempt"; flow:to_server,established; content:"|18 03 03|"; depth:3; dsize:>40; detection_filter:track by_src, count 3, seconds 1; metadata:policy balanced-ips drop, policy security-ips drop, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30513; rev:2;)

  • alert tcp $HOME_NET 443 -> $EXTERNAL_NET any (msg:"SERVER-OTHER SSLv3 large heartbeat response - possible ssl heartbleed attempt"; flow:to_client,established; content:"|18 03 00|"; depth:3; byte_test:2,>,128,0,relative; detection_filter:track by_dst, count 5, seconds 60; metadata:policy balanced-ips drop, policy security-ips drop, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30514; rev:3;)

  • alert tcp $HOME_NET 443 -> $EXTERNAL_NET any (msg:"SERVER-OTHER TLSv1 large heartbeat response - possible ssl heartbleed attempt"; flow:to_client,established; content:"|18 03 01|"; depth:3; byte_test:2,>,128,0,relative; detection_filter:track by_dst, count 5, seconds 60; metadata:policy balanced-ips drop, policy security-ips drop, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30515; rev:3;)

  • alert tcp $HOME_NET 443 -> $EXTERNAL_NET any (msg:"SERVER-OTHER TLSv1.1 large heartbeat response - possible ssl heartbleed attempt"; flow:to_client,established; content:"|18 03 02|"; depth:3; byte_test:2,>,128,0,relative; detection_filter:track by_dst, count 5, seconds 60; metadata:policy balanced-ips drop, policy security-ips drop, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30516; rev:3;)

  • alert tcp $HOME_NET 443 -> $EXTERNAL_NET any (msg:"SERVER-OTHER TLSv1.2 large heartbeat response - possible ssl heartbleed attempt"; flow:to_client,established; content:"|18 03 03|"; depth:3; byte_test:2,>,128,0,relative; detection_filter:track by_dst, count 5, seconds 60; metadata:policy balanced-ips drop, policy security-ips drop, service ssl; reference:cve,2014-0160; classtype:attempted-recon; sid:30517; rev:3;)


Servers can be tested with the ssltest.py tool. Clients can be tested with the pacemaker tool. Both can be found in https://github.com/Lekensteyn/pacemaker.


Run the test client, it will show whether the server is vulnerable or not:

python2 ssltest.py example.com


Start the server (defaults to port 4433):


Now make the client connect to https://address.of.machine:4433/ and look in the server output. MySQL is also supported. As of this writing, I have not yet added STARTTLS support.

Be sure to add --help for either tool for more options.

  • 6,111
  • 6
  • 37
  • 55