topic Custom Signature to Detect Weak Cipher Negotiation in Phase 1 ISAKMP Negotiation in Custom Signatures https://live.paloaltonetworks.com/t5/custom-signatures/custom-signature-to-detect-weak-cipher-negotiation-in-phase-1/m-p/209663#M238 <P>Good Afternoon,<BR /><BR />&nbsp; &nbsp; Is it possible to create a custom threat signature or APP-ID to match various strings of data inside of the ISAKMP initial payload during the IPSec phase 1 negotiation. The first packets are sent in plaintext during the negotiation. This would be done in order to determine if a weak cipher is being used during tunnel initiation.&nbsp;<BR /><BR />Example:<BR /><BR /><SPAN>ISAKMP Packet:</SPAN><BR /><BR /><SPAN>Payload: Proposal -&gt; Payload: Transform -&gt;&nbsp;</SPAN><BR /><BR /><SPAN>IKE Attribute -&gt; :Hash-Algorithm: SHA&nbsp;</SPAN><BR /><SPAN>IKE Attribute -&gt; :Group-Description&nbsp;</SPAN><BR /><BR /><SPAN>Pattern Match on Hash-Algorith and Group-Description specification.</SPAN><BR /><BR /><SPAN>.*(Group-Description:).*((group 1)|.*(1024-bit))</SPAN><BR /><SPAN>.*(Hash-Algorithm:).*((SHA)|.*(3DES))</SPAN><BR /><BR /><SPAN>The first expression looks for 'Group-Description:' followed by the word 'group 1' or '1024-bit' for example. The second expression looks for 'Hash-Algorithm:' followed by the word 'SHA' or '3DES'.</SPAN><BR /><BR />Screenshot example attached. Any guidance would be appreciated, Thanks!</P> Wed, 11 Apr 2018 21:37:16 GMT ktague 2018-04-11T21:37:16Z Custom Signature to Detect Weak Cipher Negotiation in Phase 1 ISAKMP Negotiation https://live.paloaltonetworks.com/t5/custom-signatures/custom-signature-to-detect-weak-cipher-negotiation-in-phase-1/m-p/209663#M238 <P>Good Afternoon,<BR /><BR />&nbsp; &nbsp; Is it possible to create a custom threat signature or APP-ID to match various strings of data inside of the ISAKMP initial payload during the IPSec phase 1 negotiation. The first packets are sent in plaintext during the negotiation. This would be done in order to determine if a weak cipher is being used during tunnel initiation.&nbsp;<BR /><BR />Example:<BR /><BR /><SPAN>ISAKMP Packet:</SPAN><BR /><BR /><SPAN>Payload: Proposal -&gt; Payload: Transform -&gt;&nbsp;</SPAN><BR /><BR /><SPAN>IKE Attribute -&gt; :Hash-Algorithm: SHA&nbsp;</SPAN><BR /><SPAN>IKE Attribute -&gt; :Group-Description&nbsp;</SPAN><BR /><BR /><SPAN>Pattern Match on Hash-Algorith and Group-Description specification.</SPAN><BR /><BR /><SPAN>.*(Group-Description:).*((group 1)|.*(1024-bit))</SPAN><BR /><SPAN>.*(Hash-Algorithm:).*((SHA)|.*(3DES))</SPAN><BR /><BR /><SPAN>The first expression looks for 'Group-Description:' followed by the word 'group 1' or '1024-bit' for example. The second expression looks for 'Hash-Algorithm:' followed by the word 'SHA' or '3DES'.</SPAN><BR /><BR />Screenshot example attached. Any guidance would be appreciated, Thanks!</P> Wed, 11 Apr 2018 21:37:16 GMT https://live.paloaltonetworks.com/t5/custom-signatures/custom-signature-to-detect-weak-cipher-negotiation-in-phase-1/m-p/209663#M238 ktague 2018-04-11T21:37:16Z Re: Custom Signature to Detect Weak Cipher Negotiation in Phase 1 ISAKMP Negotiation https://live.paloaltonetworks.com/t5/custom-signatures/custom-signature-to-detect-weak-cipher-negotiation-in-phase-1/m-p/228078#M261 <P>thank you so much</P> Thu, 23 Aug 2018 18:17:17 GMT https://live.paloaltonetworks.com/t5/custom-signatures/custom-signature-to-detect-weak-cipher-negotiation-in-phase-1/m-p/228078#M261 zonbin 2018-08-23T18:17:17Z