https://live.paloaltonetworks.com/t5/custom-signatures/detecting-an-sslv2-server-response-with-a-custom-signature/m-p/74029#M45 <P><U><STRONG>DISCLAIMER:</STRONG></U></P> <P><STRONG><FONT color="#FF6600">As with all custom signatures on this forum, this signature is being provided by the author as a result of enthusiasm for the product and to share ideas with the Palo Alto Networks security community.</FONT></STRONG></P> <P>&nbsp;</P> <P><STRONG><FONT color="#FF6600">It is:</FONT></STRONG><BR /><BR /></P> <P><STRONG><FONT color="#FF6600">-&nbsp;<U>Not</U> recommended for deployment in a production network of any kind.</FONT></STRONG></P> <P><STRONG><FONT color="#FF6600">- <U>Not</U> a solution to any vulnerability.</FONT></STRONG></P> <P><STRONG><FONT color="#FF6600">- <U>Not</U> an official supported Palo Alto Networks signature.</FONT></STRONG></P> <P>&nbsp;</P> <P><STRONG><FONT color="#FF6600">That said, I do hope it will illustrate to interested community members what can be done with the strength of the Palo Alto Networks custom signature engine.</FONT></STRONG></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>With SSLv2 vulnerabilities continuing to present themselves, customers may find themselves interested in knowing when a session established with a server in their environment is leveraging this cryptographic protocol.</P> <P>&nbsp;</P> <P>Palo Alto Network's custom signature engine can help you accomplish exactly this.</P> <P>&nbsp;</P> <P>While the pattern matching contexts we expose are incredibly useful for looking for specific types of data, integer contexts are equally strong if you are looking to see whether or not an exposed context contains&nbsp;a specific value.&nbsp;Given the pattern matching contexts limitation of requiring seven static bytes as an anchor for detection, this makes more surgical tasks where you only want to evaluate a single field more difficult. For our example, the SSL version present in a Server Hello response is two bytes; this means it is not a candidate for a pattern matching signature.</P> <P>&nbsp;</P> <P>However, we expose ssl-rsp-version in the integer contexts, making the below possible:</P> <P>&nbsp;</P> <P><IMG src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/2900i0F16AEF817DE555F/image-size/original?v=mpbl-1&amp;px=-1" border="0" alt="Capture.PNG" title="Capture.PNG" /></P> <P>&nbsp;</P> <P>In the signature I will attach to this thread, we are inspecting the "SSL-RSP-VERSION" integer context to see if it contains a value of 2.</P> <P>&nbsp;</P> <P>This signature is an informational level that will alert when SSLv2 server responses are detected, allowing any network administrator who wants to be aware of this to take appropriate action.</P> <P>&nbsp;</P> <P>As always, any feedback or corrections from the community is absolutely welcome.</P> Wed, 02 Mar 2016 22:59:15 GMT rcole 2016-03-02T22:59:15Z https://live.paloaltonetworks.com/t5/custom-signatures/detecting-an-sslv2-server-response-with-a-custom-signature/m-p/74029#M45 <P><U><STRONG>DISCLAIMER:</STRONG></U></P> <P><STRONG><FONT color="#FF6600">As with all custom signatures on this forum, this signature is being provided by the author as a result of enthusiasm for the product and to share ideas with the Palo Alto Networks security community.</FONT></STRONG></P> <P>&nbsp;</P> <P><STRONG><FONT color="#FF6600">It is:</FONT></STRONG><BR /><BR /></P> <P><STRONG><FONT color="#FF6600">-&nbsp;<U>Not</U> recommended for deployment in a production network of any kind.</FONT></STRONG></P> <P><STRONG><FONT color="#FF6600">- <U>Not</U> a solution to any vulnerability.</FONT></STRONG></P> <P><STRONG><FONT color="#FF6600">- <U>Not</U> an official supported Palo Alto Networks signature.</FONT></STRONG></P> <P>&nbsp;</P> <P><STRONG><FONT color="#FF6600">That said, I do hope it will illustrate to interested community members what can be done with the strength of the Palo Alto Networks custom signature engine.</FONT></STRONG></P> <P>&nbsp;</P> <P>&nbsp;</P> <P>With SSLv2 vulnerabilities continuing to present themselves, customers may find themselves interested in knowing when a session established with a server in their environment is leveraging this cryptographic protocol.</P> <P>&nbsp;</P> <P>Palo Alto Network's custom signature engine can help you accomplish exactly this.</P> <P>&nbsp;</P> <P>While the pattern matching contexts we expose are incredibly useful for looking for specific types of data, integer contexts are equally strong if you are looking to see whether or not an exposed context contains&nbsp;a specific value.&nbsp;Given the pattern matching contexts limitation of requiring seven static bytes as an anchor for detection, this makes more surgical tasks where you only want to evaluate a single field more difficult. For our example, the SSL version present in a Server Hello response is two bytes; this means it is not a candidate for a pattern matching signature.</P> <P>&nbsp;</P> <P>However, we expose ssl-rsp-version in the integer contexts, making the below possible:</P> <P>&nbsp;</P> <P><IMG src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/2900i0F16AEF817DE555F/image-size/original?v=mpbl-1&amp;px=-1" border="0" alt="Capture.PNG" title="Capture.PNG" /></P> <P>&nbsp;</P> <P>In the signature I will attach to this thread, we are inspecting the "SSL-RSP-VERSION" integer context to see if it contains a value of 2.</P> <P>&nbsp;</P> <P>This signature is an informational level that will alert when SSLv2 server responses are detected, allowing any network administrator who wants to be aware of this to take appropriate action.</P> <P>&nbsp;</P> <P>As always, any feedback or corrections from the community is absolutely welcome.</P> Wed, 02 Mar 2016 22:59:15 GMT https://live.paloaltonetworks.com/t5/custom-signatures/detecting-an-sslv2-server-response-with-a-custom-signature/m-p/74029#M45 rcole 2016-03-02T22:59:15Z