Good Afternoon, Is it possible to create a custom threat signature or APP-ID to match various strings of data inside of the ISAKMP initial payload during the IPSec phase 1 negotiation. The first packets are sent in plaintext during the negotiation. This would be done in order to determine if a weak cipher is being used during tunnel initiation. Example: ISAKMP Packet: Payload: Proposal -> Payload: Transform -> IKE Attribute -> :Hash-Algorithm: SHA IKE Attribute -> :Group-Description Pattern Match on Hash-Algorith and Group-Description specification. .*(Group-Description:).*((group 1)|.*(1024-bit)) .*(Hash-Algorithm:).*((SHA)|.*(3DES)) The first expression looks for 'Group-Description:' followed by the word 'group 1' or '1024-bit' for example. The second expression looks for 'Hash-Algorithm:' followed by the word 'SHA' or '3DES'. Screenshot example attached. Any guidance would be appreciated, Thanks!
... View more