DISCLAIMER:
As with all custom signatures on this forum, this signature is being provided by the author as a result of enthusiasm for the product and to share ideas with the Palo Alto Networks security community.
It is:
- Not recommended for deployment in a production network of any kind.
- Not a solution to any vulnerability.
- Not an official supported Palo Alto Networks signature.
That said, I do hope it will illustrate to interested community members what can be done with the strength of the Palo Alto Networks custom signature engine.
With SSLv2 vulnerabilities continuing to present themselves, customers may find themselves interested in knowing when a session established with a server in their environment is leveraging this cryptographic protocol.
Palo Alto Network's custom signature engine can help you accomplish exactly this.
While the pattern matching contexts we expose are incredibly useful for looking for specific types of data, integer contexts are equally strong if you are looking to see whether or not an exposed context contains a specific value. Given the pattern matching contexts limitation of requiring seven static bytes as an anchor for detection, this makes more surgical tasks where you only want to evaluate a single field more difficult. For our example, the SSL version present in a Server Hello response is two bytes; this means it is not a candidate for a pattern matching signature.
However, we expose ssl-rsp-version in the integer contexts, making the below possible:
In the signature I will attach to this thread, we are inspecting the "SSL-RSP-VERSION" integer context to see if it contains a value of 2.
This signature is an informational level that will alert when SSLv2 server responses are detected, allowing any network administrator who wants to be aware of this to take appropriate action.
As always, any feedback or corrections from the community is absolutely welcome.
