Dear Trisul Users,

I received a couple of emails saying our latest build is no longer detecting the Heartbleed attack in PCAPs such as github.com/robertdavidgraham/papers/blob...rtbleed-evasion.pcap

The reason is in the interest of performance we made TLS Records Extraction to LUA scripts optional


Set the following to True in /usr/local/etc/trisul/trisulConfig.xml to make it work again.



Why we did this?

The LUA flow monitor scripts get access to all TLS records ( a TLS record is constructed by reassembling TCP fragments). This is how we detect the Heartbeat packet. With SSLRecordExtraction off , we only reassemble TLS records up until the first change_cipher_spec record because we are primarily interested in the certificates and cipher negotiation in the handshakes. Then we quit the flow. The cost is lower memory usage. Change this to True as shown above and things will be back to normal.