SSL 3.0 Client Tracker

Problem this snippet solves:

iRule to track and display information about traffic from SSL 3.0-only clients. Allows application administrators to assess the impact of disabling access to SSL 3.0-only clients using the BIG-IP.

The iRule logs and displays Source Address, Host header, User-Agent, SSL Cipher and Geolocation (Continent, Country, State)

How to use this snippet:

Enable this iRule on BIG-IP Virtual Server and then access "Magic" URL of "/ssl3lookup/" to display data.

Note that the iRule could be broken into parts so that accessing the data is only possible on an internal Virtual Server.

Code :

# iRule to maintain SSL3-only client information in memory
# For performance purposes, it only "records" client information based on client IP address as a "key" into table
# Rule also will not update information if request is from a client IP addresss that has used SSL3 within the timeout period
# Chad Jenison c.jenison at f5.com
 
when RULE_INIT {
    #set this value to value in seconds you want to keep ssl3clients in memory ; default is 3600 (1 hour)
    set static::ttl 3600
    set static::honorXffIfExists 1
    set static::xffHeaderName "X-Forwarded-For"
}
 
when HTTP_REQUEST {
  if {[SSL::cipher version] eq "SSLv3"}{
    if {$static::honorXffIfExists && [HTTP::header exists $static::xffHeaderName]} {
        set requestorip [HTTP::header value $static::xffHeaderName]
        log local0. "SSL3 connection from Proxy: [IP::client_addr] on behalf of [HTTP::header value $static::xffHeaderName] **Notify Proxy Admin"
    } else {
        set requestorip [IP::client_addr]
    }
    if {[table incr -subtable ssl3sourceIPs $requestorip] eq 1}{
        table timeout -subtable ssl3sourceIPs $requestorip $static::ttl
        table set "ssl3host$requestorip" [HTTP::header "Host"] $static::ttl
        table set "ssl3useragent$requestorip" [HTTP::header "User-Agent"] $static::ttl
        table set "sslcipher$requestorip" [SSL::cipher name] $static::ttl
        log local0. "SSL Cipher Used: [SSL::cipher name]"
    } else {
        table timeout -subtable ssl3sourceIPs $requestorip $static::ttl
        table timeout "ssl3host$requestorip" $static::ttl
        table timeout "ssl3useragent$requestorip" $static::ttl
        table timeout "sslcipher$requestorip" $static::ttl
    }
  }
  if {[HTTP::uri] starts_with "/ssl3lookup/"}{
     set ssl3clienttable ""
     foreach clientip [table keys -subtable ssl3sourceIPs] {
        append ssl3clienttable ""
     }
     append ssl3clienttable "Source IP Host Header User-Agent Geolocation SSL Cipher Used HTTP Requests
$clientip [table lookup "ssl3host$clientip"] [table lookup "ssl3useragent$clientip"] [table lookup "sslcipher$clientip"] [whereis $clientip continent]:[whereis $clientip country]:[whereis $clientip state] [table lookup -subtable ssl3sourceIPs $clientip]"
     HTTP::respond 200 content "SSL3 Client Table$ssl3clienttable"
     log local0. "Got Magic Request"
  }
}

Source IP	Host Header	User-Agent	Geolocation	SSL Cipher Used	HTTP Requests
$clientip	[table lookup "ssl3host$clientip"]	[table lookup "ssl3useragent$clientip"]	[table lookup "sslcipher$clientip"]	[whereis $clientip continent]:[whereis $clientip country]:[whereis $clientip state]	[table lookup -subtable ssl3sourceIPs $clientip]

Tested this on version:

11.6

Published Aug 25, 2015

Version 1.0