For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

SSL 3.0 Client Tracker

Problem this snippet solves:

iRule to track and display information about traffic from SSL 3.0-only clients. Allows application administrators to assess the impact of disabling access to SSL 3.0-only clients using the BIG-IP.

The iRule logs and displays Source Address, Host header, User-Agent, SSL Cipher and Geolocation (Continent, Country, State)

How to use this snippet:

Enable this iRule on BIG-IP Virtual Server and then access "Magic" URL of "/ssl3lookup/" to display data.

Note that the iRule could be broken into parts so that accessing the data is only possible on an internal Virtual Server.

Code :

# iRule to maintain SSL3-only client information in memory
# For performance purposes, it only "records" client information based on client IP address as a "key" into table
# Rule also will not update information if request is from a client IP addresss that has used SSL3 within the timeout period
# Chad Jenison c.jenison at f5.com
 
when RULE_INIT {
    #set this value to value in seconds you want to keep ssl3clients in memory ; default is 3600 (1 hour)
    set static::ttl 3600
    set static::honorXffIfExists 1
    set static::xffHeaderName "X-Forwarded-For"
}
 
when HTTP_REQUEST {
  if {[SSL::cipher version] eq "SSLv3"}{
    if {$static::honorXffIfExists && [HTTP::header exists $static::xffHeaderName]} {
        set requestorip [HTTP::header value $static::xffHeaderName]
        log local0. "SSL3 connection from Proxy: [IP::client_addr] on behalf of [HTTP::header value $static::xffHeaderName] **Notify Proxy Admin"
    } else {
        set requestorip [IP::client_addr]
    }
    if {[table incr -subtable ssl3sourceIPs $requestorip] eq 1}{
        table timeout -subtable ssl3sourceIPs $requestorip $static::ttl
        table set "ssl3host$requestorip" [HTTP::header "Host"] $static::ttl
        table set "ssl3useragent$requestorip" [HTTP::header "User-Agent"] $static::ttl
        table set "sslcipher$requestorip" [SSL::cipher name] $static::ttl
        log local0. "SSL Cipher Used: [SSL::cipher name]"
    } else {
        table timeout -subtable ssl3sourceIPs $requestorip $static::ttl
        table timeout "ssl3host$requestorip" $static::ttl
        table timeout "ssl3useragent$requestorip" $static::ttl
        table timeout "sslcipher$requestorip" $static::ttl
    }
  }
  if {[HTTP::uri] starts_with "/ssl3lookup/"}{
     set ssl3clienttable ""
     foreach clientip [table keys -subtable ssl3sourceIPs] {
        append ssl3clienttable ""
     }
     append ssl3clienttable "
Source IPHost HeaderUser-AgentGeolocationSSL Cipher UsedHTTP Requests
$clientip[table lookup "ssl3host$clientip"][table lookup "ssl3useragent$clientip"][table lookup "sslcipher$clientip"][whereis $clientip continent]:[whereis $clientip country]:[whereis $clientip state][table lookup -subtable ssl3sourceIPs $clientip]
"
     HTTP::respond 200 content "SSL3 Client Table$ssl3clienttable"
     log local0. "Got Magic Request"
  }
}

Tested this on version:

11.6
Published Aug 25, 2015
Version 1.0
application delivery
devops
iRules
LTM
ssl
sslv3

1 Comment

  • David_Holmes_12's avatar
    David_Holmes_12
    Historic F5 Account
    Sep 01, 2015
    I just posted a similar iRule (didn't know about yours). We should combine them or something!