I working with a customer that needs to detect the usage of SSLv3(already done with ID 36815), TLS 1.0 and TLS 1.1, at some point they may move to blocking this on certain traffic. They don't particularly want decrypt the traffic for this due to complaince and organizational policies, and they want to be able to run reports so doing a No decrypt with a profile isn't exactly helpful either.
It seems like the best way to accomplish this is through a threat signature that would have either the SSL Client or the Server Hello context which contains the protocal version is 0x030#. This is only 2 of the 7 required bytes so I am not positive what else to match on. Alternatively, with TLS can you still do an equal to match on SSL-rsp-version and if so what values to the TLS versions much against? Would it be 4,5,6?
As an update to this, it can be accomplished using a custom Threat and the equal to operate to match against the Context of SSL-RSP-version. The values that are needed to match against
I do not recommend leaving the TLS 1.2 threat in an alert mode if you create it but instead change it to allow as it will be extremely noisy. It is however useful if you need to verify the functionality
These 3 custom vulnerabilities will allow you the capability of alerting or blocking lower level TLS encryption if areas that might require it for complaince such as PCI zones.
Alternatively you can also use decryption profiles to force the traffic to the high level, but it does not produce the same logs for visibility.
The attatched XML is the example threat signature to look for TLS1.0 responses.
A couple of years behind but appear to be faced with a similar query from a customer I am currently working with.
Essentially wanting to go about achieving the same - creating a log entry of each time TLS 1.0 or 1.1 is used by clients accessing their domain.
With your suggestion, could you clarify what area of configuration you are going into in order to apply this or better yet, a resource of which shows how to go about this step by step?
Essentially want to go about the same idea suggested just not wholly confident on where in the Palo Alto you would do this - any pointers would be greatly appreciated.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!