F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

Carlos_Urdaneta's avatar
Carlos_Urdaneta
Icon for Nimbostratus rankNimbostratus
Nov 06, 2014

Determine source IP addresses of SSLv3 connections?

Hi All,

 

Do we have the ability to determine which specific clients (IP addresses) are connecting to the F5 with SSL v3

 

I know how to obtain some statistics about the number of SSLv3 connections, but not really where they are coming from.

 

Thanks in Advance for help.

 

Carlos

 

application delivery
LTM
security
TMOS

3 Replies

  • mimlo_61970's avatar
    mimlo_61970
    Icon for Cumulonimbus rankCumulonimbus
    Nov 06, 2014

    not sure if there are any stats on this you can query, but here is an irule that will log the connections to /var/log/ltm

    when CLIENTSSL_HANDSHAKE {
    if { [SSL::cipher version] eq "SSLv3" } {
        log local0.debug "[IP::client_addr] accessed [virtual name] with SSLv3"
    }
}

    This assumes you have a client_ssl profile on the virtual server. If not, you would have to modify the script at https://devcentral.f5.com/articles/irule-to-stop-sslv3-connections to just log instead of reject.

  • David_Stout's avatar
    David_Stout
    Icon for Nimbostratus rankNimbostratus
    Nov 07, 2014

    I have a slightly more detailed logging rule that provides some additional information if required.

    when HTTP_REQUEST {

if { [info exists logged] && $logged == 1 }{
     Do nothing. Already logged for this connection
} else {
    set logged 1
    log "Rule CIPHER_logging fired, from [IP::remote_addr] to vip [IP::local_addr] Cipher [SSL::cipher name]:[SSL::cipher version]:[SSL::cipher bits] Client:[HTTP::header "User-Agent"]:[HTTP::host]"
}
}
  • Carlos_Urdaneta's avatar
    Carlos_Urdaneta
    Icon for Nimbostratus rankNimbostratus
    Nov 07, 2014

    mimlo, David,

     

    That looks promising. Appreciate your quick responses. Many thanks!.