TLS Fingerprinting JA3 iRule Application: Rate limit and block malicious traffic based on TLS signature
Published Aug 04, 2020
Version 1.0Was this article helpful?
Thanks for the nice article just for information why are two data groups "malicious_fingerprintdb" and "malicious_TLSfingerprintdb" ? I think that this could be an error and the data group should be just one.
#check if fingerprint matches a known malicious fingerprint, if yes, drop connection
if {[class match ${ja3_fingerprint} equals malicious_fingerprintdb]}{
set malicious_fingerprint [class match -value ${ja3_fingerprint} equals malicious_TLSfingerprintdb]
drop
log local0. "known malicious fingerprint matched $malicious_fingerprint - Action:DROP!"
}