topic Re: Detecting TLS 1.0 and TLS 1.1 Protocol in Custom Signatures

Detecting TLS 1.0 and TLS 1.1 Protocol

Retired Member — Fri, 22 Dec 2017 16:04:29 GMT

Hi,

I working with a customer that needs to detect the usage of SSLv3(already done with ID 36815), TLS 1.0 and TLS 1.1, at some point they may move to blocking this on certain traffic. They don't particularly want decrypt the traffic for this due to complaince and organizational policies, and they want to be able to run reports so doing a No decrypt with a profile isn't exactly helpful either.

It seems like the best way to accomplish this is through a threat signature that would have either the SSL Client or the Server Hello context which contains the protocal version is 0x030#. This is only 2 of the 7 required bytes so I am not positive what else to match on. Alternatively, with TLS can you still do an equal to match on SSL-rsp-version and if so what values to the TLS versions much against? Would it be 4,5,6?

Thank you,

Re: Detecting TLS 1.0 and TLS 1.1 Protocol

Retired Member — Tue, 09 Jan 2018 15:23:12 GMT

As an update to this, it can be accomplished using a custom Threat and the equal to operate to match against the Context of SSL-RSP-version. The values that are needed to match against

TLS 1.0 is decimal 769 (0x030
TLS 1.1 is decimal 770
TLS 1.2 is decimal 771

Example TLS 1.0

I do not recommend leaving the TLS 1.2 threat in an alert mode if you create it but instead change it to allow as it will be extremely noisy. It is however useful if you need to verify the functionality

These 3 custom vulnerabilities will allow you the capability of alerting or blocking lower level TLS encryption if areas that might require it for complaince such as PCI zones.

Alternatively you can also use decryption profiles to force the traffic to the high level, but it does not produce the same logs for visibility.

The attatched XML is the example threat signature to look for TLS1.0 responses.

Re: Detecting TLS 1.0 and TLS 1.1 Protocol

JTKoris — Mon, 20 Jun 2022 11:06:31 GMT

Hi Ben,

A couple of years behind but appear to be faced with a similar query from a customer I am currently working with.

Essentially wanting to go about achieving the same - creating a log entry of each time TLS 1.0 or 1.1 is used by clients accessing their domain.

With your suggestion, could you clarify what area of configuration you are going into in order to apply this or better yet, a resource of which shows how to go about this step by step?

Essentially want to go about the same idea suggested just not wholly confident on where in the Palo Alto you would do this - any pointers would be greatly appreciated.

Kind regards,

JT

Re: Detecting TLS 1.0 and TLS 1.1 Protocol

hisingh — Mon, 20 Jun 2022 14:35:57 GMT

@JTKoris and @Retired Member

Here is KB article https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000008UgRCAU

Thanks

Himani