07-02-2020 11:54 PM
Hello Team,
I need to create custom VA signature which can detect specific chrome browser version and block internet also from that browser.
I have created custom signature which can detect specific version and can block http traffic too but https traffic is not blocking.
We have not enabled ssl decryption and not planned to enable it but still i need to block 443 port traffic.
I have been matching chrome browser version pattern along with tls version pattern but its not working. please let me know how i can block it without ssl decryption.
I am using below signiture.
<?xml version="1.0"?>
-<vulnerability-threat version="9.0.0">
-<entry name="41005">
-<signature>
-<standard>
-<entry name="chrome browser httpsv1">
-<and-condition>
-<entry name="And Condition 1">
-<or-condition>
-<entry name="Or Condition 1">
-<operator>
-<pattern-match>
<pattern>Chrome/83.0.4103.116</pattern>
<context>http-req-headers</context>
<negate>no</negate>
</pattern-match>
</operator>
</entry>
</or-condition>
</entry>
-<entry name="And Condition 2">
-<or-condition>
-<entry name="Or Condition 1">
-<operator>
-<equal-to>
<value>769</value>
<context>ssl-rsp-version</context>
</equal-to>
</operator>
</entry>
</or-condition>
</entry>
</and-condition>
<order-free>yes</order-free>
<scope>session</scope>
</entry>
-<entry name="chrome browser tlsv1.1">
-<and-condition>
-<entry name="And Condition 1">
-<or-condition>
-<entry name="Or Condition 1">
-<operator>
-<pattern-match>
<pattern>Chrome/83.0.4103.116</pattern>
<context>http-req-headers</context>
<negate>no</negate>
</pattern-match>
</operator>
</entry>
</or-condition>
</entry>
-<entry name="And Condition 2">
-<or-condition>
-<entry name="Or Condition 1">
-<operator>
-<equal-to>
<value>770</value>
<context>ssl-rsp-version</context>
</equal-to>
</operator>
</entry>
</or-condition>
</entry>
</and-condition>
<order-free>yes</order-free>
<scope>session</scope>
</entry>
-<entry name="chrome browser tls1.2">
-<and-condition>
-<entry name="And Condition 1">
-<or-condition>
-<entry name="Or Condition 1">
-<operator>
-<pattern-match>
<pattern>Chrome/83.0.4103.116</pattern>
<context>http-req-headers</context>
<negate>no</negate>
</pattern-match>
</operator>
</entry>
</or-condition>
</entry>
-<entry name="And Condition 2">
-<or-condition>
-<entry name="Or Condition 1">
-<operator>
-<equal-to>
<value>771</value>
<context>ssl-rsp-version</context>
</equal-to>
</operator>
</entry>
</or-condition>
</entry>
</and-condition>
<order-free>yes</order-free>
<scope>session</scope>
</entry>
-<entry name="chrome browser 1.1">
-<and-condition>
-<entry name="And Condition 1">
-<or-condition>
-<entry name="Or Condition 1">
-<operator>
-<pattern-match>
<pattern>Chrome/83.0.4103.116</pattern>
<context>http-req-headers</context>
<negate>no</negate>
</pattern-match>
</operator>
</entry>
</or-condition>
</entry>
</and-condition>
<order-free>yes</order-free>
<scope>session</scope>
</entry>
</standard>
</signature>
-<default-action>
<alert/>
</default-action>
<threatname>Chrone testing http</threatname>
<severity>low</severity>
<direction>client2server</direction>
-<affected-host>
<client>yes</client>
</affected-host>
</entry>
</vulnerability-threat>
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
