Looking for options - iRule, Traffic Policy, or Other to Protect PAN Data on Database VS

Jason, Thank you for the response and leads here. The article you wrote on what you did with TCP::collect/binary scan for SSL was spot on to give me a frame work to model. At this point I have more questions than answers :) That said, I'm in a collect and see mode. The idea being to understand the data between Wireshark and local log. I will admit that what appears to be UTF-8 encoding when logging the TCP::payload to local log is throwing me off a bit.

Below is the current rule; however it is only firing when the database is first connected. So I'm not seeing when the actual data is queried. Feel free to let me know how far off or on track I am here.

Current iRule:

Collects Data on Server Connect, Extracts Data Length/Payload Length/Payload to local log. It does a Binary Scan using Data length, inserts into variable, and releases to the server.

when SERVER_CONNECTED {

 TCP::collect

}

when SERVER_DATA {

 set datalen [TCP::offset]

 log local0. "Data length is : $datalen"

 set payloadlen [TCP::payload length]

 log local0. "Payload length is : $payloadlen"

 set payload [TCP::payload]

 log local0. "Collected goods : $payload"

 binary scan [TCP::payload] H$datalen var1

 log local0. "TCP Collect found $var1"

 TCP::release

}

Output:

Jul 15 00:56:02 DEV-VE-1 tmm[64878]: Rule /DB/DB-TCP-Collect-iRule <SERVER_DATA>: Data length is : 1172

Jul 15 00:56:02 DEV-VE-1 tmm[64878]: Rule /DB/DB-TCP-Collect-iRule <SERVER_DATA>: Payload length is : 1172

Jul 15 00:56:02 DEV-VE-1 tmm[64878]: Rule /DB/DB-TCP-Collect-iRule <SERVER_DATA>: Collected goods : nÐC\xC0\x80 h$ \xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x8000000SQL11014\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80 \xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80      \xC0\x80 TESTDB      \xC0\x80\xC0\x80\xC0\x80\xC0\x80ÿ\xC0\x80 \xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80U\xC0\x80 \xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80 \xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80 \xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80ì \xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80ACCTINT\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80ÿ\xC0\x80 \xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80 TESTDB\xC0\x80

TBLACCOUNTS\xC0\x80\xC0\x80\xC0\x80

TBLACCOUNTS\xC0\x80\xC0\x80\xC0\x80 DB2ADMIN\xC0\x80\xC0\x80\xC0\x80ACCTINT\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80ÿ\xC0\x80\xC0\x80\xC0\x80\xC0\x80 \xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80À ¸\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80 \xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80 ACCTCHAR\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80ÿ\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80 TESTDB\xC0\x80

TBLACCOUNTS\xC0\x80\xC0\x80\xC0\x80

TBLACCOUNTS\xC0\x80\xC0\x80\xC0\x80 DB2ADMIN\xC0\x80\xC0\x80\xC0\x80 ACCTCHAR\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80ÿ\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80 \xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80Á ¸\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80 \xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80 COMMENTS\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80ÿ\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80 TESTDB\xC0\x80

TBLACCOUNTS\xC0\x80\xC0\x80\xC0\x80

TBLACCOUNTS\xC0\x80\xC0\x80\xC0\x80 DB2ADMIN\xC0\x80\xC0\x80\xC0\x80 COMMENTS\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80ÿ\xC0\x80\xC0\x80\xC0\x80\xC0\x80 \xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80‰ ¸\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80 DT\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80ÿ\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80\xC0\x80 TESTDB\xC0\x80

TBLACCOUNTS\xC0\x80\xC0

Jul 15 00:56:02 DEV-VE-1 tmm[64878]: Rule /DB/DB-TCP-Collect-iRule <SERVER_DATA>: TCP Collect found 026ed0430001026824110000000000303030303053514c3131303134000000000000000000030000000700000000000000000000002020202020202020202020001254455354444220202020202020202020202000000000ff000100000000000000550001000000000000000000000000000400000000000800000000000000ec01000000000000000000000000000000000741434354494e5400000000000000000000ff000100000000000000000000000006544553544442000b54424c4143434f554e54530000000b54424c4143434f554e54530000000844423241444d494e0000000741434354494e54000000000000ff000000001400000000000000c00104b8000000000000000008000000000008414343544348415200000000000000000000ff000000000000000000000000000006544553544442000b54424c4143434f554e54530000000b54424c4143434f554e54530000000844423241444d494e000000084143435443484152000000000000ff000000000001000000000000c10104b8000000000000000008000000000008434f4d4d454e545300000000000000000000ff000000000000000000000000000006544553544442000b54424c41

/jeff