Forum Discussion

msmith1356_2932's avatar
msmith1356_2932
Icon for Nimbostratus rankNimbostratus
Jun 05, 2017

Log all TLS v1.0 Connections

I'm looking for an iRule to log all TLS v1.0 connections to a remote logging server.

 

I'd like to include in the logs the external client IP, VIP, and time.

 

I'm very new to scripting, so any help would be GREATLY appreciated!

 

ASM Advanced WAF
iRules
security
  • Ilian_Ivanov's avatar
    Ilian_Ivanov
    Icon for Nimbostratus rankNimbostratus
    Jun 06, 2017

    Hello,

    You can use that code:

     

    when HTTP_REQUEST {
    if {[SSL::cipher version] equals "TLSv1"} {
        set hsl [HSL::open -proto UDP -pool syslog_server_pool]
        set time [clock format [clock seconds] -format "%d/%b/%Y:%H:%M:%S %Z"]
        HSL::send $hsl "<190> TLSv1 Request Detected: Time = $time, Client IP:Port = [IP::client_addr]:[TCP::client_port], F5 VIP:Port = [clientside {IP::local_addr}]:[clientside {TCP::local_port}]"
    }
}

     

    You will need to create a pool with name "syslog_server_pool" and add your remote log server. You can change the pool name of course but it should be the same as in the iRule.

    The output should looks like that:

    Msg: TLSv1 Request Detected: Time = 06/Jun/2017:19:08:05 EEST, Client IP:Port = 10.10.10.100:58978, F5 VIP:Port = 10.10.10.20:443

     

  • dwcoffin_370357's avatar
    dwcoffin_370357
    Icon for Nimbostratus rankNimbostratus
    Aug 22, 2018

    Does this break down connections by TLS1.0/1.1/1.2 or lumps all into TLSv1 Requests without specifying the specific versions?

     

    • jaikumar_f5's avatar
      jaikumar_f5
      Icon for Noctilucent rankNoctilucent
      Aug 23, 2018

      Hi Dwcoffin,

      If you check the [article](Categorize SSL traffic by version, display as graph),it does break it down with all versions.

      If you are looking for Irule for remote logging for all versions,

       

      when HTTP_REQUEST {
set hsl [HSL::open -proto UDP -pool syslog_server_pool]
set time [clock format [clock seconds] -format "%d/%b/%Y:%H:%M:%S %Z"]
    if {[SSL::cipher version] equals "TLSv1"} {
        HSL::send $hsl "TLSv1 Request Detected: Time = $time, Client IP:Port = [IP::client_addr]:[TCP::client_port], F5 VIP:Port = [clientside {IP::local_addr}]:[clientside {TCP::local_port}]"
    } 
    if {[SSL::cipher version] equals "TLSv1.1" } {
        HSL::send $hsl "TLSv1.1 Request Detected: Time = $time, Client IP:Port = [IP::client_addr]:[TCP::client_port], F5 VIP:Port = [clientside {IP::local_addr}]:[clientside {TCP::local_port}]"
    }
    if {[SSL::cipher version] equals "TLSv1.2" } {
        HSL::send $hsl "TLSv1.2 Request Detected: Time = $time, Client IP:Port = [IP::client_addr]:[TCP::client_port], F5 VIP:Port = [clientside {IP::local_addr}]:[clientside {TCP::local_port}]"
    }
}

       

    • dwcoffin_370357's avatar
      dwcoffin_370357
      Icon for Nimbostratus rankNimbostratus
      Dec 05, 2018

      We have implemented this iRule. It is working as expected. Thank you! Request information to include encrypted connections made on non-standard ports (not port 443) please.