Neuter the POODLE: Detect All SSLv3 Clients and Servers with ExtraHop | ExtraHop


Following on the heels of the Heartbleed and Shellshock exploits, the new POODLE vulnerability in SSL version 3.0 (SSLv3) is the latest to require IT teams to identify and patch vulnerable systems.

Published by Google's security team today (Tuesday, October 14), the POODLE vulnerability targets a version of SSL that is 15 years old but still used widely. IT teams will want to identify systems using this version and disable SSLv3 on those machines if possible.

At ExtraHop, identifying vulnerable machines was a 15-second process (see the screenshots below for the results). That's because we have an ExtraHop appliance analyzing all our wire data—all L2-L7 communications between systems—and extracting a wealth of information for easy exploration. Whether it is identifying devices using SSLv3 or performing a Heartbleed audit going back years, ExtraHop puts your wire data at your fingertips.

Identifying SSLv3 Servers and Clients in Four Clicks

If you are an ExtraHop user, here is what you need to do in order to identify SSLv3 sessions in your environment:
  1. Click on the Applications tab in the left-hand navigation
  2. Click on the "All Activity" application
  3. Click SSL in the left-hand navigation to view all SSL metrics
  4. Click on the SSLv3 count under Sessions by Version
The resulting window will show you the top talkers for SSLv3 in your environment—these are the systems you will want to update first. Note that exploiting the POODLE vulnerability requires a lot of chattiness. Adjust the time interval to see more devices. You can also see the clients and certificates involved in these sessions. If you want to add a nifty dashboard that visualizes these SSLv3 metrics, download the bundle from the ExtraHop Solution Bundles Gallery.

This is just one example of what you can do with wire data. The possibilities are virtually limitless! Find out for yourself by exploring our free, interactive online demo.

ExtraHop's SSL envelope analysis reveals all kinds of interesting details about encryption in your environment, including SSLv3 usage.

Drilling into SSLv3 conversations, you can easily identify top-talkers using that version.

Adding a widget showing SSLv3 top-talkers to your dashboard is a simple three-step process.

This is a companion discussion topic for the original entry at