TLS Fingerprinting JA3 iRule Application: Rate limit and block malicious traffic based on TLS signature

In this article, we use the same techniques, as some previous authors, to enable a TLS Fingerprinting iRule and proc to rate limit and block TLS clients based on generated TLS signatures. Related ...

Published Aug 04, 2020

Version 1.0

SIRT

I'm Arvin, Security Engineer with the F5SIRT

View Profile

ArvinF

SIRT

I'm Arvin, Security Engineer with the F5SIRT

View Profile

Nikoolayy1

MVP

Jun 22, 2021

Thanks for the nice article just for information why are two data groups "malicious_fingerprintdb" and "malicious_TLSfingerprintdb" ? I think that this could be an error and the data group should be just one.

#check if fingerprint matches a known malicious fingerprint, if yes, drop connection

if {[class match ${ja3_fingerprint} equals malicious_fingerprintdb]}{

set malicious_fingerprint [class match -value ${ja3_fingerprint} equals malicious_TLSfingerprintdb]

drop

log local0. "known malicious fingerprint matched $malicious_fingerprint - Action:DROP!"

}

TLS Fingerprinting JA3 iRule Application: Rate limit and block malicious traffic based on TLS signature

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS