Client fingerprinting for information system security

The invention claimed is: 1. A computer-implemented method for a database system, comprising: monitoring packet data traffic on a network connection to the database system, to detect a Client Hello packet (CHP) received from a client entity over the network; analyzing the CHP by extracting selected data from the CHP, wherein the selected data comprises a set of fields in the CHP, each of the fields containing zero or more hex values; extracting selected data from the CHP; processing the selected data to form an SSL client identifier string; applying a selected hash function to the SSL client identifier string to form an SSL client fingerprint that is based on an order of data in the set of fields; and logging the SSL client fingerprint in a database, wherein processing the selected data includes: for each of the set of fields, converting each of the hex values into a corresponding decimal value, selectively inserting a value delimiter between the decimal values, and concatenating the decimal values and the value delimiters in an order in which the values appear in the field, to form a field result string; and concatenating the field result strings to form the SSL client identifier string. 2. The method of claim 1 wherein concatenating the field result strings includes arranging the field results in a sequence based on an order in which the fields are listed in the CHP, and inserting a predetermined field delimiter after each field result string prior to concatenating the field result strings. 3. The method of claim 2 wherein the selected data fields comprise: an SSL Version field, a cipher suite field, and an extension field. 4. The method of claim 3 wherein the fields further comprise an elliptic curve field. 5. The method of claim 1 wherein processing the extracted data further includes inserting a field delimiter after each field in the SSL client identifier string; and concatenating the fields and the field delimiters to form the SSL client identifier string. 6. The method of claim 5 wherein processing the extracted data further includes inserting a value delimiter after each decimal value within a field of the SSL client identifier string. 7. The method of claim 1 wherein the selected hash function is an MD5 hash function. 8. The method of claim 1 wherein processing the extracted data further includes persisting at least one field delimiter in the SSL client identifier string in the absence of data in the CHP for a corresponding field. 9. The method of claim 1 and further comprising: receiving a security indication for a specified SSL client fingerprint; and updating the database based on the security indication. 10. The method of claim 1 and further comprising: extracting data from the database to form a log of SSL client fingerprints that identify clients that accessed the database system. 11. A non-transitory, computer readable medium storing instructions executable by a processor to cause the processor to realize a client fingerprinting component, including carrying out the steps of: receiving an indication of a detected Client Hello packet (CHP) on a network wire, and analyzing the CHP by extracting selected data from the CHP, wherein the selected data comprises a set of fields in the CHP, each of the fields containing zero or more hex values; extracting selected data from the CHP; processing the selected data to form an SSL client identifier string; applying a selected hash function to the SSL client identifier string to form an SSL client fingerprint that is based on an order of data in the set of fields; and logging the SSL client fingerprint in a database; wherein processing the selected data includes: for each of the set of fields, converting each of the hex values into a corresponding decimal value, selectively inserting a value delimiter between the decimal values, and concatenating the decimal values and the value delimiters in an order in which the values appear in the field, to form a field result string; and concatenating the field result strings to form the SSL client identifier string. 12. The computer readable medium of claim 11 wherein: concatenating the field results includes arranging the field results in a sequence based on an order in which the fields appear in the CHP, and inserting a field delimiter after each field result prior to concatenating the field results. 13. The computer readable medium of claim 11 wherein the fields comprise: an SSL Version field, a cipher suite field, and an extension field. 14. The computer readable medium of claim 13 wherein the fields further comprise an elliptic curve field. 15. The computer readable medium of claim 13 wherein the stored instructions further cause the processor to execute the steps of— receiving a security indication for a specified SSL client fingerprint; and updating the database based on the security indication. 16. The computer readable medium of claim 13 wherein the stored instructions further cause the processor to extract data from the database to form a list of SSL client fingerprints that identify clients that accessed the database system. 17. A system comprising: an information system including a network interface for communications over an external network; a packet analyzer coupled to the network interface to examine packet traffic traveling between the information system and the external network; an SSL fingerprint component coupled to the network packet analyzer to analyze a Client Hello packet captured by the network packet analyzer; wherein the fingerprint component is configured to generate an SSL client fingerprint based on the Client Hello packet including an order of data in a set of fields wherein for each of the set of fields, the hex values are converted into a corresponding decimal value, a value delimiter is inserted between the decimal values, and the decimal values and the value delimiters are concatenated in an order in which the values appear in the field, to form a field result string; a datastore coupled to the fingerprint component for storing the SSL client fingerprint; and a concatenating component to concatenate the field result strings to form the SSL client identifier string. 18. The system of claim 17 wherein the SSL fingerprint component is arranged to generate a blacklist of clients based on data stored in the datastore; wherein the blacklist identifies each the clients by a corresponding SSL client fingerprint, rather than by an IP address.