Forum Discussion

jba3126's avatar
jba3126
Icon for Cirrostratus rankCirrostratus
Jul 09, 2019

Looking for options - iRule, Traffic Policy, or Other to Protect PAN Data on Database VS

We have a DB2 database that we need to scrub/mask SSN (Social Security) and CCN (CreditCard). Note: This is a TCP Virtual Server as it is a database via JDBC.   iRules that work scrubbing HTTP Req...
application delivery
BIG-IP
CCN
DB2
iRules
PAN
SSN
jba3126's avatar
jba3126
Icon for Cirrostratus rankCirrostratus
Jul 09, 2019

Jason, Thank you for the quick response. Question, being that this is a Database i.e. a standard TCP VS would ASM be able to inspect this being that it is not HTTP?

 

/jeff

  • JRahm's avatar
    JRahm
    Icon for Admin rankAdmin
    Jul 09, 2019

    Ah, hasty response on my part, didn’t fully read your question. Let me do a little digging. Not super familiar with db2...will numbers be in the clear or need binary inspection?

  • jba3126's avatar
    jba3126
    Icon for Cirrostratus rankCirrostratus
    Jul 09, 2019

    Jason, No worries at all. I updated the post to make the TCP requirement more evident. The format is ASCII and EBCDIC and the numbers are in plain text.

     

    /jeff

  • JRahm's avatar
    JRahm
    Icon for Admin rankAdmin
    Jul 10, 2019

    Ok, so this is tcp and cleartext data, so you have options. Looks in wireshark to be a well-understood protocol, so you can parse out by field with a TCP::collect and binary scan on the request to look for queries to any table that might have that information in it, and then activate a stream profile and use a stream match to sanitize the response data. You have to do the collection work and change the events to be TCP appropriate rather than HTTP, but this article has what you need for the CC replacement info. To add SSN for the iRule shared above, you can use this regex from this codeshare entry:

    set static::ssn_regex {\d{3}-\d{2}-\d{4}}
  • jba3126's avatar
    jba3126
    Icon for Cirrostratus rankCirrostratus
    Jul 15, 2019

    Jason, Thank you for the response and leads here. The article you wrote on what you did with TCP::collect/binary scan for SSL was spot on to give me a frame work to model. At this point I have more questions than answers :) That said, I'm in a collect and see mode. The idea being to understand the data between Wireshark and local log. I will admit that what appears to be UTF-8 encoding when logging the TCP::payload to local log is throwing me off a bit.

     

    Below is the current rule; however it is only firing when the database is first connected. So I'm not seeing when the actual data is queried. Feel free to let me know how far off or on track I am here.

     

    Current iRule:

    Collects Data on Server Connect, Extracts Data Length/Payload Length/Payload to local log. It does a Binary Scan using Data length, inserts into variable, and releases to the server.

    when SERVER_CONNECTED {

     TCP::collect

    }

    when SERVER_DATA {

     set datalen [TCP::offset]

     log local0. "Data length is : $datalen"

     set payloadlen [TCP::payload length]

     log local0. "Payload length is : $payloadlen"

     set payload [TCP::payload]

     log local0. "Collected goods : $payload"

     binary scan [TCP::payload] H$datalen var1

     log local0. "TCP Collect found $var1"

     TCP::release

    }

     

    Output:

    Jul 15 00:56:02 DEV-VE-1 tmm[64878]: Rule /DB/DB-TCP-Collect-iRule <SERVER_DATA>: Data length is : 1172

    Jul 15 00:56:02 DEV-VE-1 tmm[64878]: Rule /DB/DB-TCP-Collect-iRule <SERVER_DATA>: Payload length is : 1172

    Jul 15 00:56:02 DEV-VE-1 tmm[64878]: Rule /DB/DB-TCP-Collect-iRule <SERVER_DATA>: Collected goods : nÐC\xC0\x80 h$ \xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x8000000SQL11014\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80 \xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80      \xC0\x80 TESTDB      \xC0\x80\xC0\x80\xC0\x80\xC0\x80ÿ\xC0\x80 \xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80U\xC0\x80 \xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80 \xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80 \xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80ì \xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80ACCTINT\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80ÿ\xC0\x80 \xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80 TESTDB\xC0\x80

    TBLACCOUNTS\xC0\x80\xC0\x80\xC0\x80

    TBLACCOUNTS\xC0\x80\xC0\x80\xC0\x80 DB2ADMIN\xC0\x80\xC0\x80\xC0\x80ACCTINT\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80ÿ\xC0\x80\xC0\x80\xC0\x80\xC0\x80 \xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80À ¸\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80 \xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80 ACCTCHAR\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80ÿ\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80 TESTDB\xC0\x80

    TBLACCOUNTS\xC0\x80\xC0\x80\xC0\x80

    TBLACCOUNTS\xC0\x80\xC0\x80\xC0\x80 DB2ADMIN\xC0\x80\xC0\x80\xC0\x80 ACCTCHAR\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80ÿ\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80 \xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80Á ¸\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80 \xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80 COMMENTS\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80ÿ\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80 TESTDB\xC0\x80

    TBLACCOUNTS\xC0\x80\xC0\x80\xC0\x80

    TBLACCOUNTS\xC0\x80\xC0\x80\xC0\x80 DB2ADMIN\xC0\x80\xC0\x80\xC0\x80 COMMENTS\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80ÿ\xC0\x80\xC0\x80\xC0\x80\xC0\x80 \xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80‰ ¸\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80 DT\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80ÿ\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80 TESTDB\xC0\x80

    TBLACCOUNTS\xC0\x80\xC0

    Jul 15 00:56:02 DEV-VE-1 tmm[64878]: Rule /DB/DB-TCP-Collect-iRule <SERVER_DATA>: TCP Collect found 026ed0430001026824110000000000303030303053514c3131303134000000000000000000030000000700000000000000000000002020202020202020202020001254455354444220202020202020202020202000000000ff000100000000000000550001000000000000000000000000000400000000000800000000000000ec01000000000000000000000000000000000741434354494e5400000000000000000000ff000100000000000000000000000006544553544442000b54424c4143434f554e54530000000b54424c4143434f554e54530000000844423241444d494e0000000741434354494e54000000000000ff000000001400000000000000c00104b8000000000000000008000000000008414343544348415200000000000000000000ff000000000000000000000000000006544553544442000b54424c4143434f554e54530000000b54424c4143434f554e54530000000844423241444d494e000000084143435443484152000000000000ff000000000001000000000000c10104b8000000000000000008000000000008434f4d4d454e545300000000000000000000ff000000000000000000000000000006544553544442000b54424c41

     

    /jeff