How to detect the SSL or TLS version being used
Objective
Detect the SSL/TLS version selected by the Server during a TLS handshake.
Environment
- Palo Alto Networks Firewall
- PAN-OS 8.1 and above.
Procedure
- Navigate to GUI: Objects > Custom Objects > Vulnerability.
- Click on Add and select a ThreatID between 41000 and 45000, severity and default action (alert), direction (server-to-client), affected system (client-and-server)
- Click on Signatures > Add [Standard Signature option] and click "Add"
- Select signature name, choose type "Transaction" and click "Add Or Condition" with the following fields:
Example to detect TLS 1.0:
Operator: equal-to **
Context: ssl-rsp-version
Value: 769 (default input value in custom signature is decimal)
**NOTE: When pushing a custom signature from Panorama PAN OS 10.X version to a PAN OS 9.X firewall: you cannot use the 'equal to' operator for custom signatures in this use case. The reason is due to the 'negate' checkbox option was added to the 'equal-to' operator starting in PAN OS 10.X (Figure 1). Pushing a custom signature with this operator from Panorama 10.X to a 9.X firewall will cause a commit error ”negate unexpected here” when trying to push the signature to the PAN OS 9.X firewall (Figure 2):
Figure 1 - showing the 'negate' option not available in 9.X versions and earlier for the 'equal-to' operator
Figure 2 - error received when trying to push a custom signature with the 'equal-to' operator from a Panorama 10.X to a 9.X firewall.
The workaround for this use case is using two And Conditions (a 'greater-than' and a 'less-than') in your custom signature instead to get the same result, as shown below:
Workaround example to detect TLS 1.0:
And Condition 1
Operator: less-than
Context: ssl-rsp-version
Value: 770 (defaut input value in custom signature is decimal)
And Condition 2
Operator: greater-than
Context: ssl-rsp-version
Value: 768 (default input value in custom signature is decimal)
The above workaround example would trigger the desired result of version 769 only as it is both less than 770 and greater than 768.
Example to detect TLS version lower than TLS 1.2:
Operator: less-than
Context: ssl-rsp-version
Value: 771
| TLS 1.2 | 0x0303 | 771 decimal |
| TLS 1.1 | 0x0302 | 770 decimal |
| TLS 1.0 | 0x0301 | 769 decimal |
| TLS 1.3 | 0x0304 | 772 decimal |
| SSL 3.0 | 0x0300 | 768 decimal |
| SSL 2.0 | 0x0002 | 2 decimal |
- Click on "Add And Condition" and choose "Operator" as "Equal to", "Context" as "ssl-rsp-version" and "Value" as "769"
- Click OK to close the condition tab and then check on the details on Standard tab as below.
- Click OK to close the Standard tab and then again OK to create the Custom Vulnerability Object.
- Make sure to enable the created custom Vulnerability Object in the respective Vulnerability Security Profile under the "Exceptions" tab.( GUI: Objects > Security Profiles > Vulnerability Protection)
- Commit the configuration.
- When the security profile is used in the configuration, detected TTLS profile is displayed in the logs.
Additional Information
Assistance for creating custom signatures is outside of the scope of Support.
For assistance via the community forum please see Welcome To The Palo Alto Networks Custom Signature Discussion Board.
One can also refer to our "Creating Custom Application and Threat Signatures" Tech Note.
For additional help, please discuss your options with your Palo Alto Networks Account representative.