Forum Discussion
Looking for options - iRule, Traffic Policy, or Other to Protect PAN Data on Database VS
If you already have ASM, the correct option for you is the Data Guard feature which is purpose-built for exactly your use case. See here: https://devcentral.f5.com/s/articles/the-big-ip-application-security-manager-part-8-data-guard
Jason, Thank you for the quick response. Question, being that this is a Database i.e. a standard TCP VS would ASM be able to inspect this being that it is not HTTP?
/jeff
- JRahmJul 09, 2019Admin
Ah, hasty response on my part, didn’t fully read your question. Let me do a little digging. Not super familiar with db2...will numbers be in the clear or need binary inspection?
- jba3126Jul 09, 2019Cirrostratus
Jason, No worries at all. I updated the post to make the TCP requirement more evident. The format is ASCII and EBCDIC and the numbers are in plain text.
/jeff
- JRahmJul 10, 2019Admin
Ok, so this is tcp and cleartext data, so you have options. Looks in wireshark to be a well-understood protocol, so you can parse out by field with a TCP::collect and binary scan on the request to look for queries to any table that might have that information in it, and then activate a stream profile and use a stream match to sanitize the response data. You have to do the collection work and change the events to be TCP appropriate rather than HTTP, but this article has what you need for the CC replacement info. To add SSN for the iRule shared above, you can use this regex from this codeshare entry:
set static::ssn_regex {\d{3}-\d{2}-\d{4}}
- jba3126Jul 15, 2019Cirrostratus
Jason, Thank you for the response and leads here. The article you wrote on what you did with TCP::collect/binary scan for SSL was spot on to give me a frame work to model. At this point I have more questions than answers :) That said, I'm in a collect and see mode. The idea being to understand the data between Wireshark and local log. I will admit that what appears to be UTF-8 encoding when logging the TCP::payload to local log is throwing me off a bit.
Below is the current rule; however it is only firing when the database is first connected. So I'm not seeing when the actual data is queried. Feel free to let me know how far off or on track I am here.
Current iRule:
Collects Data on Server Connect, Extracts Data Length/Payload Length/Payload to local log. It does a Binary Scan using Data length, inserts into variable, and releases to the server.
when SERVER_CONNECTED {
TCP::collect
}
when SERVER_DATA {
set datalen [TCP::offset]
log local0. "Data length is : $datalen"
set payloadlen [TCP::payload length]
log local0. "Payload length is : $payloadlen"
set payload [TCP::payload]
log local0. "Collected goods : $payload"
binary scan [TCP::payload] H$datalen var1
log local0. "TCP Collect found $var1"
TCP::release
}
Output:
Jul 15 00:56:02 DEV-VE-1 tmm[64878]: Rule /DB/DB-TCP-Collect-iRule <SERVER_DATA>: Data length is : 1172
Jul 15 00:56:02 DEV-VE-1 tmm[64878]: Rule /DB/DB-TCP-Collect-iRule <SERVER_DATA>: Payload length is : 1172
Jul 15 00:56:02 DEV-VE-1 tmm[64878]: Rule /DB/DB-TCP-Collect-iRule <SERVER_DATA>: Collected goods : nÐC\xC0\x80 h$ \xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x8000000SQL11014\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80 \xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80 \xC0\x80 TESTDB \xC0\x80\xC0\x80\xC0\x80\xC0\x80ÿ\xC0\x80 \xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80U\xC0\x80 \xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80 \xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80 \xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80ì \xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80ACCTINT\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80ÿ\xC0\x80 \xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80 TESTDB\xC0\x80
TBLACCOUNTS\xC0\x80\xC0\x80\xC0\x80
TBLACCOUNTS\xC0\x80\xC0\x80\xC0\x80 DB2ADMIN\xC0\x80\xC0\x80\xC0\x80ACCTINT\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80ÿ\xC0\x80\xC0\x80\xC0\x80\xC0\x80 \xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80À ¸\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80 \xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80 ACCTCHAR\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80ÿ\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80 TESTDB\xC0\x80
TBLACCOUNTS\xC0\x80\xC0\x80\xC0\x80
TBLACCOUNTS\xC0\x80\xC0\x80\xC0\x80 DB2ADMIN\xC0\x80\xC0\x80\xC0\x80 ACCTCHAR\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80ÿ\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80 \xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80Á ¸\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80 \xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80 COMMENTS\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80ÿ\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80 TESTDB\xC0\x80
TBLACCOUNTS\xC0\x80\xC0\x80\xC0\x80
TBLACCOUNTS\xC0\x80\xC0\x80\xC0\x80 DB2ADMIN\xC0\x80\xC0\x80\xC0\x80 COMMENTS\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80ÿ\xC0\x80\xC0\x80\xC0\x80\xC0\x80 \xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80‰ ¸\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80 DT\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80ÿ\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80 TESTDB\xC0\x80
TBLACCOUNTS\xC0\x80\xC0
Jul 15 00:56:02 DEV-VE-1 tmm[64878]: Rule /DB/DB-TCP-Collect-iRule <SERVER_DATA>: TCP Collect found 026ed0430001026824110000000000303030303053514c3131303134000000000000000000030000000700000000000000000000002020202020202020202020001254455354444220202020202020202020202000000000ff000100000000000000550001000000000000000000000000000400000000000800000000000000ec01000000000000000000000000000000000741434354494e5400000000000000000000ff000100000000000000000000000006544553544442000b54424c4143434f554e54530000000b54424c4143434f554e54530000000844423241444d494e0000000741434354494e54000000000000ff000000001400000000000000c00104b8000000000000000008000000000008414343544348415200000000000000000000ff000000000000000000000000000006544553544442000b54424c4143434f554e54530000000b54424c4143434f554e54530000000844423241444d494e000000084143435443484152000000000000ff000000000001000000000000c10104b8000000000000000008000000000008434f4d4d454e545300000000000000000000ff000000000000000000000000000006544553544442000b54424c41
/jeff
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com