Cisco Cisco FirePOWER Appliance 8360
32-52
FireSIGHT System User Guide
Chapter 32 Understanding and Writing Intrusion Rules
Understanding Keywords and Arguments in Rules
ssl_version
License:
Protection
The
ssl_version
keyword can be used to match against version information for an encrypted session.
When a rule uses the
ssl_version
keyword, the rules engine invokes the SSL preprocessor to check
traffic for SSL version information.
For example, if you know there is a buffer overflow vulnerability in SSL version 2, you could use the
ssl_version
keyword with the
sslv2
argument to identify traffic using that version of SSL.
Use a comma-separated list to specify multiple arguments for the SSL version. When you list multiple
arguments, the system evaluates them using the OR operator. For example, if you wanted to identify any
encrypted traffic that was not using SSLv2, you could add
arguments, the system evaluates them using the OR operator. For example, if you wanted to identify any
encrypted traffic that was not using SSLv2, you could add
ssl_version:ssl_v3,tls1.0,tls1.1,tls1.2
to a rule. The rule would evaluate any traffic using SSL
Version 3, TLS Version 1.0, TLS Version 1.1, or TLS Version 1.2.
Note that the SSL preprocessor must be enabled to allow processing of rules using the
ssl_version
keyword. When the SSL preprocessor is disabled and you enable rules that use this keyword, you are
prompted whether to enable the preprocessor when you save the policy. See
prompted whether to enable the preprocessor when you save the policy. See
The
ssl_version
keyword takes the following SSL/TLS version identifiers as arguments:
Table 32-33
ssl_state
Arguments
Argument
Purpose
client_hello
Matches against a handshake message with
ClientHello
as the message type,
where the client requests an encrypted session.
server_hello
Matches against a handshake message with
ServerHello
as the message type,
where the server responds to the client’s request for an encrypted session.
client_keyx
Matches against a handshake message with
ClientKeyExchange
as the
message type, where the client transmits a key to the server to confirm receipt
of a key from the server.
of a key from the server.
server_keyx
Matches against a handshake message with
ServerKeyExchange
as the
message type, where the client transmits a key to the server to confirm receipt
of a key from the server.
of a key from the server.
unknown
Matches against any handshake message type.
Table 32-34
ssl_version
Arguments
Argument
Purpose
sslv2
Matches against traffic encoded using Secure Sockets Layer (SSL) Version 2.
sslv3
Matches against traffic encoded using Secure Sockets Layer (SSL) Version 3.
tls1.0
Matches against traffic encoded using Transport Layer Security (TLS) Version 1.0.
tls1.1
Matches against traffic encoded using Transport Layer Security (TLS) Version 1.1.
tls1.2
Matches against traffic encoded using Transport Layer Security (TLS) Version 1.2.