Forum Discussion

Nimbostratus

Nov 19, 2015

SSL Cipher (reporting, graphing, logging)

We are in the process of disabling weaker Cipher strengths on our https servers, I wondered if anyone has any experience of getting the F5 to log and report on the Cipher strength that each browser s...

Nimbostratus

Apr 17, 2018

@Kevin Stewart I tried to use the rule which you mentioned. I was unable to get the content type as 22 in the payload. Not sure why. I extracted all the bytes from the payload nothing made sense to me. Here is what it logs: Type == 72 84 84 80 47 49 46 49 32 50 48 ..... 125 125

Here is the part of the rule modified:

when SERVER_DATA {

binary scan [TCP::payload] c* type log local0. "Type == $type "

Kevin_Stewart

Employee

Apr 17, 2018

Well,

c* would give you all of the bytes, and you only need the first one
72 probably indicate that you're not looking at part of the TLS handshake. In fact, if you decode that hex string, it starts with „„€"GIFI2PH", which looks like (I'm assuming) a plaintext image response.

Help guide the future of your DevCentral Community!

What tools do you use to collaborate? (1min - anonymous)