topic Re: Looking for help with a custom vulnerability signature to detect usage of the RC4 cipher set in Custom Signatures

Looking for help with a custom vulnerability signature to detect usage of the RC4 cipher set

AndrewZener — Wed, 21 Jun 2023 15:37:51 GMT

I am struggling with getting a custom vulnerability signature to detect RC4 server responses. We have created other custom signatures that are working just fine within the same test policy. For example, checking for TLS 1.0, 1.1 etc.... I have tried a number of different pattern matches against the ssl-rsp-server-hello context without success. This is the current matching value I have defined:

.*((Cipher)|.*(RC4)) I have a case open with TAC but they seem to be struggling with it as well. There is no built-in vulernability signature for RC4 cipher use and we do not want to perform SSL inspection against this traffic. We know that is another option to take actions on specific protocols and ciphers. I have tried just matching on .*(Compression) and that doesn't work either. What am I missing?

Re: Looking for help with a custom vulnerability signature to detect usage of the RC4 cipher set

nikoolayy1 — Sun, 02 Jul 2023 13:24:43 GMT

Well this a task for Palo Alto PS not TAC as you are wanting a custom signature.

Still you may see https://live.paloaltonetworks.com/t5/custom-signatures/custom-vulnerability-to-block-old-browser-versions/td-p/518666 as the regex in Palo Alto should be enclosed with ().

Also will the regex (Cipher(.*)RC4(.*)) not do the job, if not test your regex at https://regex101.com/

Re: Looking for help with a custom vulnerability signature to detect usage of the RC4 cipher set

nikoolayy1 — Fri, 21 Jul 2023 07:25:29 GMT

Hello @AndrewZener did my suggestion help you 🙂