Custom signature not working

Reply
Highlighted
L0 Member

Custom signature not working

Hello Team,

 

I need to create custom VA signature which can detect specific chrome browser version and block internet also from that browser.
I have created custom signature which can detect specific version and can block http traffic too but https traffic is not blocking.

We have not enabled ssl decryption and not planned to enable it but still i need to block 443 port traffic.

I have been matching chrome browser version pattern along with tls version pattern but its not working. please let me know how i can block it without ssl decryption.

I am using below signiture.

<?xml version="1.0"?>

-<vulnerability-threat version="9.0.0">


-<entry name="41005">


-<signature>


-<standard>


-<entry name="chrome browser httpsv1">


-<and-condition>


-<entry name="And Condition 1">


-<or-condition>


-<entry name="Or Condition 1">


-<operator>


-<pattern-match>

<pattern>Chrome/83.0.4103.116</pattern>

<context>http-req-headers</context>

<negate>no</negate>

</pattern-match>

</operator>

</entry>

</or-condition>

</entry>


-<entry name="And Condition 2">


-<or-condition>


-<entry name="Or Condition 1">


-<operator>


-<equal-to>

<value>769</value>

<context>ssl-rsp-version</context>

</equal-to>

</operator>

</entry>

</or-condition>

</entry>

</and-condition>

<order-free>yes</order-free>

<scope>session</scope>

</entry>


-<entry name="chrome browser tlsv1.1">


-<and-condition>


-<entry name="And Condition 1">


-<or-condition>


-<entry name="Or Condition 1">


-<operator>


-<pattern-match>

<pattern>Chrome/83.0.4103.116</pattern>

<context>http-req-headers</context>

<negate>no</negate>

</pattern-match>

</operator>

</entry>

</or-condition>

</entry>


-<entry name="And Condition 2">


-<or-condition>


-<entry name="Or Condition 1">


-<operator>


-<equal-to>

<value>770</value>

<context>ssl-rsp-version</context>

</equal-to>

</operator>

</entry>

</or-condition>

</entry>

</and-condition>

<order-free>yes</order-free>

<scope>session</scope>

</entry>


-<entry name="chrome browser tls1.2">


-<and-condition>


-<entry name="And Condition 1">


-<or-condition>


-<entry name="Or Condition 1">


-<operator>


-<pattern-match>

<pattern>Chrome/83.0.4103.116</pattern>

<context>http-req-headers</context>

<negate>no</negate>

</pattern-match>

</operator>

</entry>

</or-condition>

</entry>


-<entry name="And Condition 2">


-<or-condition>


-<entry name="Or Condition 1">


-<operator>


-<equal-to>

<value>771</value>

<context>ssl-rsp-version</context>

</equal-to>

</operator>

</entry>

</or-condition>

</entry>

</and-condition>

<order-free>yes</order-free>

<scope>session</scope>

</entry>


-<entry name="chrome browser 1.1">


-<and-condition>


-<entry name="And Condition 1">


-<or-condition>


-<entry name="Or Condition 1">


-<operator>


-<pattern-match>

<pattern>Chrome/83.0.4103.116</pattern>

<context>http-req-headers</context>

<negate>no</negate>

</pattern-match>

</operator>

</entry>

</or-condition>

</entry>

</and-condition>

<order-free>yes</order-free>

<scope>session</scope>

</entry>

</standard>

</signature>


-<default-action>

<alert/>

</default-action>

<threatname>Chrone testing http</threatname>

<severity>low</severity>

<direction>client2server</direction>


-<affected-host>

<client>yes</client>

</affected-host>

</entry>

</vulnerability-threat>

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!