NimbostratusI'm looking for an iRule to log all TLS v1.0 connections to a remote logging server.
I'd like to include in the logs the external client IP, VIP, and time.
I'm very new to scripting, so any help would be GREATLY appreciated!
MVPHere,
We already have a SSL3 tracker, just change SSLv3 to TLSv1
Also Dave has posted a graph too.
Put in some effort and you should have yours own irule.
NimbostratusHello,
You can use that code:
when HTTP_REQUEST {
if {[SSL::cipher version] equals "TLSv1"} {
set hsl [HSL::open -proto UDP -pool syslog_server_pool]
set time [clock format [clock seconds] -format "%d/%b/%Y:%H:%M:%S %Z"]
HSL::send $hsl "<190> TLSv1 Request Detected: Time = $time, Client IP:Port = [IP::client_addr]:[TCP::client_port], F5 VIP:Port = [clientside {IP::local_addr}]:[clientside {TCP::local_port}]"
}
}
You will need to create a pool with name "syslog_server_pool" and add your remote log server. You can change the pool name of course but it should be the same as in the iRule.
The output should looks like that:
Msg: TLSv1 Request Detected: Time = 06/Jun/2017:19:08:05 EEST, Client IP:Port = 10.10.10.100:58978, F5 VIP:Port = 10.10.10.20:443
NimbostratusDoes this break down connections by TLS1.0/1.1/1.2 or lumps all into TLSv1 Requests without specifying the specific versions?
MVPHi Dwcoffin,
If you check the [article](Categorize SSL traffic by version, display as graph),it does break it down with all versions.
If you are looking for Irule for remote logging for all versions,
when HTTP_REQUEST {
set hsl [HSL::open -proto UDP -pool syslog_server_pool]
set time [clock format [clock seconds] -format "%d/%b/%Y:%H:%M:%S %Z"]
if {[SSL::cipher version] equals "TLSv1"} {
HSL::send $hsl "TLSv1 Request Detected: Time = $time, Client IP:Port = [IP::client_addr]:[TCP::client_port], F5 VIP:Port = [clientside {IP::local_addr}]:[clientside {TCP::local_port}]"
}
if {[SSL::cipher version] equals "TLSv1.1" } {
HSL::send $hsl "TLSv1.1 Request Detected: Time = $time, Client IP:Port = [IP::client_addr]:[TCP::client_port], F5 VIP:Port = [clientside {IP::local_addr}]:[clientside {TCP::local_port}]"
}
if {[SSL::cipher version] equals "TLSv1.2" } {
HSL::send $hsl "TLSv1.2 Request Detected: Time = $time, Client IP:Port = [IP::client_addr]:[TCP::client_port], F5 VIP:Port = [clientside {IP::local_addr}]:[clientside {TCP::local_port}]"
}
}
NimbostratusThanks for clarification!
NimbostratusWe have implemented this iRule. It is working as expected. Thank you! Request information to include encrypted connections made on non-standard ports (not port 443) please.