Looking for help with a custom vulnerability signature to detect usage of the RC4 cipher set

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Looking for help with a custom vulnerability signature to detect usage of the RC4 cipher set

L1 Bithead

I am struggling with getting a custom vulnerability signature to detect RC4 server responses.  We have created other custom signatures that are working just fine within the same test policy.  For example, checking for TLS 1.0, 1.1 etc.... I have tried a number of different pattern matches against the ssl-rsp-server-hello context without success.  This is the current matching value I have defined:

.*((Cipher)|.*(RC4)) I have a case open with TAC but they seem to be struggling with it as well.  There is no built-in vulernability signature for RC4 cipher use and we do not want to perform SSL inspection against this traffic.  We know that is another option to take actions on specific protocols and ciphers.  I have tried just matching on .*(Compression) and that doesn't work either.   What am I missing?


L6 Presenter

Well this a task for Palo Alto PS not TAC as you are wanting a custom signature.


Still you may see https://live.paloaltonetworks.com/t5/custom-signatures/custom-vulnerability-to-block-old-browser-ver... as the regex in Palo Alto should be enclosed with ().


Also will the regex (Cipher(.*)RC4(.*)) not do the job, if not test your regex at https://regex101.com/

L6 Presenter

Hello @AndrewZener did my suggestion help you 🙂

  • 2 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!