How to detect the SSL or TLS version being used

How to detect the SSL or TLS version being used

6660
Created On 07/06/20 18:58 PM - Last Modified 09/02/21 19:02 PM


Objective
Detect the SSL/TLS version selected by the Server during a TLS handshake.

Environment
  • Palo Alto Networks Firewall
  • PAN-OS 8.1 and above.


Procedure
  1. Navigate to GUI: Objects > Custom Objects > Vulnerability.
  2. Click on Add and select a ThreatID between 41000 and 45000, severity and default action (alert), direction (server-to-client), affected system (client-and-server)
           Create a Custom Vulnerability Protection signature
  1. Click on Signatures > Add [Standard Signature option] and click "Add"
  2. Select signature name, choose type "Transaction" and click "Add Or Condition" with the following fields:
Example to detect TLS 1.0:
Operator: equal-to
Context: ssl-rsp-version
Value: 769 (default input value in custom signature is decimal)

Example to detect TLS version lower than TLS 1.2:
Operator: less-than
Context: ssl-rsp-version
Value: 771
 
SSL/TLS Version Reference
TLS 1.20x0303771 decimal
TLS 1.10x0302770 decimal
TLS 1.00x0301769 decimal
SSL 3.00x0300768 decimal
SSL 2.00x00022 decimal
 
  1. Click on "Add And Condition" and choose "Operator" as "Equal to", "Context" as "ssl-rsp-version" and "Value" as "769"
Create custom signature
  1. Click OK to close the condition tab and then check on the details on Standard tab as below.
Verify it was created properly
  1. Click OK to close the Standard tab and then again OK to create the Custom Vulnerability Object.
  2. Make sure to enable the created custom Vulnerability Object in the respective Vulnerability Security Profile under the "Exceptions" tab.( GUI: Objects > Security Profiles > Vulnerability Protection)
  3. Commit the configuration.
  4. When the security profile is used in the configuration, detected TTLS profile is displayed in the logs.
Vulnerability Logs


Additional Information
Assistance for creating custom signatures is outside of the scope of Support.

For assistance via the community forum please see Welcome To The Palo Alto Networks Custom Signature Discussion Board.
One can also refer to our "Creating Custom Application and Threat Signatures" Tech Note.

For additional help, please discuss your options with your Palo Alto Networks Account representative.


Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000008UgRCAU&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language