For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

TLS Fingerprinting JA3 iRule Application: Rate limit and block malicious traffic based on TLS signature

In this article, we use the same techniques, as some previous authors, to enable a TLS Fingerprinting iRule and proc to rate limit and block TLS clients based on generated TLS signatures. Related ...
Published Aug 04, 2020
Version 1.0
application delivery
f5 sirt
fingerprinting
iRules
JA3
security
tls
Nikoolayy1's avatar
Nikoolayy1
Icon for MVP rankMVP
Jun 22, 2021

Thanks for the nice article just for information why are two data groups "malicious_fingerprintdb" and "malicious_TLSfingerprintdb" ? I think that this could be an error and the data group should be just one.

 

#check if fingerprint matches a known malicious fingerprint, if yes, drop connection

if {[class match ${ja3_fingerprint} equals malicious_fingerprintdb]}{

set malicious_fingerprint [class match -value ${ja3_fingerprint} equals malicious_TLSfingerprintdb]

drop

log local0. "known malicious fingerprint matched $malicious_fingerprint - Action:DROP!"