For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

steve_michaels's avatar
steve_michaels
Icon for Cirrus rankCirrus
Sep 30, 2022
Solved

Need iRule for logging all LDAPS requests to HSL Splunk

Hi DevCentral-

We have a VS for loadbalancing our Domain Controllers. I need an iRule to log all LDAPS requests coming in to the VS and send to our HSL logging pool which used UDP port 514. Any h

application delivery
irule
  • xuwen's avatar
    xuwen
    Oct 05, 2022

    if ssl offload work on bigip(clientside ssl profile, client ldap), you can use CLIENTSSL_HANDSHAKE, CLIENTSSL_DATA irules event to collect decrypt payload

    when CLIENTSSL_HANDSHAKE {
   # log local0. "[IP::client_addr]:[TCP::client_port]: SSL handshake completed, collecting SSL payload"
   set hsl [HSL::open -proto UDP -pool syslogvip_pool]
   SSL::collect
}
when CLIENTSSL_DATA {
   # log local0. "[IP::client_addr]:[TCP::client_port]: Collected bytes [SSL::payload length], releasing payload"
   # log local0. "\[SSL::payload\]: [SSL::payload]"
   HSL::send $hsl "DCreqlogging Client connect from [IP::client_addr]:[TCP::client_port]"
   HSL::send $hsl "DCreqlogging SSL Payload [SSL::payload]"
   SSL::release
}

     

4 Replies

    • steve_michaels's avatar
      steve_michaels
      Icon for Cirrus rankCirrus
      Oct 04, 2022

      Here is some more info. I have this iRule setup on the VIP which uses ldaps (tcp/636) to conect to our pool of Domain Comain contollers:

      when CLIENT_ACCEPTED {
      TCP::collect
      set hsl [HSL::open -proto UDP -pool syslogvip_pool]
      HSL::send $hsl "DCreqlogging Client connect from [IP::client_addr]:[TCP::client_port]"
      HSL::send $hsl "DCreqlogging TCP Payload [TCP::payload]"
      TCP::release
      }

      It is logging the client IP and port to the Splunk system but i am not seeing anything on the TCP payload that is of use. Is encrypted. Is there any way I can log the ldaps traffic so I can see all the fields like (User=Administrator) or any other of the fields in the ldaps requests? Thanks.

  • xuwen's avatar
    xuwen
    Icon for Cumulonimbus rankCumulonimbus
    Oct 05, 2022

    if ssl offload work on bigip(clientside ssl profile, client ldap), you can use CLIENTSSL_HANDSHAKE, CLIENTSSL_DATA irules event to collect decrypt payload

    when CLIENTSSL_HANDSHAKE {
   # log local0. "[IP::client_addr]:[TCP::client_port]: SSL handshake completed, collecting SSL payload"
   set hsl [HSL::open -proto UDP -pool syslogvip_pool]
   SSL::collect
}
when CLIENTSSL_DATA {
   # log local0. "[IP::client_addr]:[TCP::client_port]: Collected bytes [SSL::payload length], releasing payload"
   # log local0. "\[SSL::payload\]: [SSL::payload]"
   HSL::send $hsl "DCreqlogging Client connect from [IP::client_addr]:[TCP::client_port]"
   HSL::send $hsl "DCreqlogging SSL Payload [SSL::payload]"
   SSL::release
}

     

    • steve_michaels's avatar
      steve_michaels
      Icon for Cirrus rankCirrus
      Oct 05, 2022

      Thanks xuwen . i tested with the local logging and it is showing the Bind DN of the LDAPS request. Just what we need.