Thursday, January 4, 2024

F5 SSL traffic capture and decrypt - iRule

 To capture SSL traffic and decrypt it on a virtual we can use the below iRule.

First create the iRule and save it example SSL_Decrypt_iRule

when CLIENTSSL_HANDSHAKE {
    log local0. "Client Side [IP::client_addr][TCP::client_port] :: RSA Session-ID:[SSL::sessionid] Master-Key:[SSL::sessionsecret]"
  }
when SERVERSSL_HANDSHAKE {
    log local0. "Server Side [IP::client_addr][TCP::client_port] :: RSA Session-ID:[SSL::sessionid] Master-Key:[SSL::sessionsecret]"
}
Attach this to the VIP for the duration of the test. Don't forget to remove it after or else it will keep logging the Session ID's to the log file.

After the tcp capture is completed, use the below command from CLI to extract the session keys to the pms file

sed -e 's/^.*\(RSA Session-ID\)/\1/;tx;d;:x' /var/log/ltm > /var/tmp/problem.pms

Now open the pcap and use the pms file to decrypt the requests.

Posted by at No comments:
Labels:

Extract F5 ASM attack signature rule

 Just for troubleshooting if you need to extract ASM signature rules run the below on a device that is not heavily used or after hours since its process intensive from the CLI.

"mysql -uasm -p`perl -I/ts/packages -MF5::Cfg -e 'print F5::Cfg::get_mysql_password()'` PLC -e "select PLC.NEGSIG_SETS.set_name,PLC.NEGSIG_SETS.set_id,PLC.NEGSIG_SIGNATURES.sig_id,PLC.NEGSIG_SIGNATURES.sig_name,PLC.NEGSIG_SIGNATURES.rule  from PLC.NEGSIG_SETS,PLC.NEGSIG_SIGNATURES order by set_name,sig_id;" > /var/tmp/unit1_sig_sets.out"

Posted by at No comments:
Labels:
Subscribe to: Posts (Atom)