I working with a customer that needs to detect the usage of SSLv3(already done with ID 36815), TLS 1.0 and TLS 1.1, at some point they may move to blocking this on certain traffic. They don't particularly want decrypt the traffic for this due to complaince and organizational policies, and they want to be able to run reports so doing a No decrypt with a profile isn't exactly helpful either.
It seems like the best way to accomplish this is through a threat signature that would have either the SSL Client or the Server Hello context which contains the protocal version is 0x030#. This is only 2 of the 7 required bytes so I am not positive what else to match on. Alternatively, with TLS can you still do an equal to match on SSL-rsp-version and if so what values to the TLS versions much against? Would it be 4,5,6?