Detecting TLS 1.0 and TLS 1.1 Protocol

Reply
L1 Bithead

Detecting TLS 1.0 and TLS 1.1 Protocol

Hi,

I working with a customer that needs to detect the usage of SSLv3(already done with ID 36815), TLS 1.0 and TLS 1.1, at some point they may move to blocking this on certain traffic. They don't particularly want decrypt the traffic for this due to complaince and organizational policies, and they want to be able to run reports so doing a No decrypt with a profile isn't exactly helpful either.

 

It seems like the best way to accomplish this is through a threat signature that would have either the SSL Client or the Server Hello context which contains the protocal version is 0x030#. This is only 2 of the 7 required bytes so I am not positive what else to match on. Alternatively, with TLS can you still do an equal to match on SSL-rsp-version and if so what values to the TLS versions much against? Would it be 4,5,6?

 

Thank you,

Highlighted
L1 Bithead

Re: Detecting TLS 1.0 and TLS 1.1 Protocol

As an update to this, it can be accomplished using a custom Threat and the equal to operate to match against the Context of SSL-RSP-version. The values that are needed to match against

  • TLS 1.0 is decimal 769  (0x030
  • TLS 1.1 is decimal 770
  • TLS 1.2 is decimal 771

image.pngExample TLS 1.0

I do not recommend leaving the TLS 1.2 threat in an alert mode if you create it but instead change it to allow as it will be extremely noisy. It is however useful if you need to verify the functionality

 

These 3 custom vulnerabilities will allow you the capability of alerting or blocking lower level TLS encryption if areas that might require it for complaince such as PCI zones.

 

Alternatively you can also use decryption profiles to force the traffic to the high level, but it does not produce the same logs for visibility.

 

The attatched XML is the example threat signature to look for TLS1.0 responses.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!