06-21-2023 08:19 AM - edited 06-21-2023 08:37 AM
I am struggling with getting a custom vulnerability signature to detect RC4 server responses. We have created other custom signatures that are working just fine within the same test policy. For example, checking for TLS 1.0, 1.1 etc.... I have tried a number of different pattern matches against the ssl-rsp-server-hello context without success. This is the current matching value I have defined:
.*((Cipher)|.*(RC4)) I have a case open with TAC but they seem to be struggling with it as well. There is no built-in vulernability signature for RC4 cipher use and we do not want to perform SSL inspection against this traffic. We know that is another option to take actions on specific protocols and ciphers. I have tried just matching on .*(Compression) and that doesn't work either. What am I missing?
07-02-2023 06:24 AM
Well this a task for Palo Alto PS not TAC as you are wanting a custom signature.
Still you may see https://live.paloaltonetworks.com/t5/custom-signatures/custom-vulnerability-to-block-old-browser-ver... as the regex in Palo Alto should be enclosed with ().
Also will the regex (Cipher(.*)RC4(.*)) not do the job, if not test your regex at https://regex101.com/
07-21-2023 12:25 AM
Hello @AndrewZener did my suggestion help you 🙂
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
