- Get Started
- News & Events
- Collaboration
- Education Services
- Technologies
- Next-Generation Firewall
- GlobalProtect
- Threat Prevention Services
- Endpoint Protection
- SSL Decryption
- App-ID
- Content-ID
- User-ID
- 5G
- IoT Security
- Cloud Identity Engine
Network Security
- Prisma Access
- Prisma Cloud
- Prisma SD-WAN
- CN-Series
- VM-Series:
- Alibaba
- AWS
- GCP
- Azure
Cloud Security
- Cortex XDR
- Cortex XSOAR
- Cortex Data Lake
Security Operations
- Resources
- COVID-19 Response Center
Detecting TLS 1.0 and TLS 1.1 Protocol
- LIVEcommunity
- Collaboration
- Discussions
- Custom Signatures
- Detecting TLS 1.0 and TLS 1.1 Protocol
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
Detecting TLS 1.0 and TLS 1.1 Protocol
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
12-22-2017 08:04 AM
Hi,
I working with a customer that needs to detect the usage of SSLv3(already done with ID 36815), TLS 1.0 and TLS 1.1, at some point they may move to blocking this on certain traffic. They don't particularly want decrypt the traffic for this due to complaince and organizational policies, and they want to be able to run reports so doing a No decrypt with a profile isn't exactly helpful either.
It seems like the best way to accomplish this is through a threat signature that would have either the SSL Client or the Server Hello context which contains the protocal version is 0x030#. This is only 2 of the 7 required bytes so I am not positive what else to match on. Alternatively, with TLS can you still do an equal to match on SSL-rsp-version and if so what values to the TLS versions much against? Would it be 4,5,6?
Thank you,
- Mark as New
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report This Content
01-09-2018 07:23 AM
As an update to this, it can be accomplished using a custom Threat and the equal to operate to match against the Context of SSL-RSP-version. The values that are needed to match against
- TLS 1.0 is decimal 769 (0x030
- TLS 1.1 is decimal 770
- TLS 1.2 is decimal 771
I do not recommend leaving the TLS 1.2 threat in an alert mode if you create it but instead change it to allow as it will be extremely noisy. It is however useful if you need to verify the functionality
These 3 custom vulnerabilities will allow you the capability of alerting or blocking lower level TLS encryption if areas that might require it for complaince such as PCI zones.
Alternatively you can also use decryption profiles to force the traffic to the high level, but it does not produce the same logs for visibility.
The attatched XML is the example threat signature to look for TLS1.0 responses.
- Ransomware Prevention / Detection / Response Resources in General Topics
- Issue with correct FTP application detection in General Topics
- "email-headers" and "smtp-email-headers" context in customer application definition in Custom Signatures
- GlobalProtect issue with Enforcer Network Access in General Topics
- Unusual Issues in Hosted ESXI Environment in General Topics
Show your appreciation!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
