SSL 3.0 Client Tracker
Problem this snippet solves: iRule to track and display information about traffic from SSL 3.0-only clients. Allows application administrators to assess the impact of disabling access to SSL 3.0-only clients using the BIG-IP. The iRule logs and displays Source Address, Host header, User-Agent, SSL Cipher and Geolocation (Continent, Country, State) How to use this snippet: Enable this iRule on BIG-IP Virtual Server and then access "Magic" URL of "/ssl3lookup/" to display data. Note that the iRule could be broken into parts so that accessing the data is only possible on an internal Virtual Server. Code : # iRule to maintain SSL3-only client information in memory # For performance purposes, it only "records" client information based on client IP address as a "key" into table # Rule also will not update information if request is from a client IP addresss that has used SSL3 within the timeout period # Chad Jenison c.jenison at f5.com when RULE_INIT { #set this value to value in seconds you want to keep ssl3clients in memory ; default is 3600 (1 hour) set static::ttl 3600 set static::honorXffIfExists 1 set static::xffHeaderName "X-Forwarded-For" } when HTTP_REQUEST { if {[SSL::cipher version] eq "SSLv3"}{ if {$static::honorXffIfExists && [HTTP::header exists $static::xffHeaderName]} { set requestorip [HTTP::header value $static::xffHeaderName] log local0. "SSL3 connection from Proxy: [IP::client_addr] on behalf of [HTTP::header value $static::xffHeaderName] **Notify Proxy Admin" } else { set requestorip [IP::client_addr] } if {[table incr -subtable ssl3sourceIPs $requestorip] eq 1}{ table timeout -subtable ssl3sourceIPs $requestorip $static::ttl table set "ssl3host$requestorip" [HTTP::header "Host"] $static::ttl table set "ssl3useragent$requestorip" [HTTP::header "User-Agent"] $static::ttl table set "sslcipher$requestorip" [SSL::cipher name] $static::ttl log local0. "SSL Cipher Used: [SSL::cipher name]" } else { table timeout -subtable ssl3sourceIPs $requestorip $static::ttl table timeout "ssl3host$requestorip" $static::ttl table timeout "ssl3useragent$requestorip" $static::ttl table timeout "sslcipher$requestorip" $static::ttl } } if {[HTTP::uri] starts_with "/ssl3lookup/"}{ set ssl3clienttable " Source IP Host Header User-Agent Geolocation SSL Cipher Used HTTP Requests " foreach clientip [table keys -subtable ssl3sourceIPs] { append ssl3clienttable " $clientip [table lookup "ssl3host$clientip"] [table lookup "ssl3useragent$clientip"] [table lookup "sslcipher$clientip"] [whereis $clientip continent]:[whereis $clientip country]:[whereis $clientip state] [table lookup -subtable ssl3sourceIPs $clientip] " } append ssl3clienttable " " HTTP::respond 200 content " SSL3 Client Table $ssl3clienttable" log local0. "Got Magic Request" } } Tested this on version: 11.6