TLS Fingerprinting JA3 iRule Application: Rate limit and block malicious traffic based on TLS signature
In this article, we use the same techniques, as some previous authors, to enable a TLS Fingerprinting iRule and proc to rate limit and block TLS clients based on generated TLS signatures.
Related ...
Published Aug 04, 2020
Version 1.0ArvinF
SIRT
Joined May 23, 2019
ArvinF
SIRT
Joined May 23, 2019
Nikoolayy1
Jun 22, 2021MVP
Thanks for the nice article just for information why are two data groups "malicious_fingerprintdb" and "malicious_TLSfingerprintdb" ? I think that this could be an error and the data group should be just one.
#check if fingerprint matches a known malicious fingerprint, if yes, drop connection
if {[class match ${ja3_fingerprint} equals malicious_fingerprintdb]}{
set malicious_fingerprint [class match -value ${ja3_fingerprint} equals malicious_TLSfingerprintdb]
drop
log local0. "known malicious fingerprint matched $malicious_fingerprint - Action:DROP!"
}