Forum Discussion

Nishal_Rai's avatar
Nishal_Rai
Icon for Cirrocumulus rankCirrocumulus
Apr 25, 2024

Can iRule be used to perform exception of IPI category based on Geolocation

Hi Everyone,


Can we configure iRule to perform exception on certain IPI category like "Spam Sources" based on Geolocation.

For instance, I want to bypass the mitigation enforced on "Spam Sources" IP intelligence category for "Nepal" -Geolocation specific because of the large false positives on this category.

I found the iRules to enforce the mitigation based on the defined IPI category:

when HTTP_REQUEST { 
    set ip_reputation_categories [IP::reputation [IP::client_addr]]
    set is_reject 0
    if {($ip_reputation_categories contains "Windows Exploits")} {
       set is_reject 1
    } 
    if {($ip_reputation_categories contains "Web Attacks")} {
       set is_reject 1
    } 
    if {($is_reject)} {
        log local0. "Attempted access from malicious IP address [IP::client_addr]
        ($ip_reputation_categories), request was rejected"
        HTTP::respond 200 content 
        "<HTML><HEAD><TITLE>Rejected Request</TITLE>
        </HEAD><BODY>The request was rejected. <BR> 
        Attempted access from malicious IP address</BODY></HTML>"
    }
}


https://techdocs.f5.com/en-us/bigip-15-0-0/big-ip-local-traffic-manager-implementations/enabling-ip-address-intelligence.html

security

4 Replies

Sort By
  • SanjayP's avatar
    SanjayP
    Icon for Nacreous rankNacreous
    May 02, 2024

    My bad. Else condition is rejecting all traffic. Try below and I would suggest try on non-prod VIP first.

     

    when HTTP_REQUEST { 
    set ip_reputation_categories [IP::reputation [IP::client_addr]]
    if {([$ip_reputation_categories contains "Spam Sources"]) and (!([[whereis [IP::client_addr] country] equals "NP"]))} {
	log local0. "IP from spam sources block: [IP::client_addr]"
	drop
	} else {
	#DO NOTHING
	}
  }

     

    • Nishal_Rai's avatar
      Nishal_Rai
      Icon for Cirrocumulus rankCirrocumulus
      May 09, 2024

      SanjayP


      Few lines were also added for the debugging purpose in the provided iRule as discussed before.

      when HTTP_REQUEST { 
    set ip_reputation_categories [IP::reputation [IP::client_addr]]
    if {([$ip_reputation_categories contains "Spam Sources"]) and (!([[whereis [IP::client_addr] country] equals "NP"]))} {
    log local0. "IP from spam sources block: [IP::client_addr]"
    drop
    } else {
    log local0. "IP from spam sources from Nepal, allow: [IP::client_addr]"
    #DO NOTHING
    }
  }



      However after few minutes of attaching the iRule on the virtual server, the application stopped working. 

      While the following error logs were found on the /var/log/ltm,

      May  8 13:07:06 waf.domain.com err tmm2[19426]: 01220001:3: TCL error: /Common/NP-GeoIP-Spam_Sources_Allow <HTTP_REQUEST> - invalid command name ""     while executing "$ip_reputation_categories contains "Spam Sources""
May  8 13:07:06 waf.domain.com err tmm[19426]: 01220001:3: TCL error: /Common/NP-GeoIP-Spam_Sources_Allow <HTTP_REQUEST> - invalid command name ""     while executing "$ip_reputation_categories contains "Spam Sources""
May  8 13:07:06 waf.domain.com err tmm1[19426]: 01220001:3: TCL error: /Common/NP-GeoIP-Spam_Sources_Allow <HTTP_REQUEST> - invalid command name ""     while executing "$ip_reputation_categories contains "Spam Sources""
May  8 13:07:06 waf.domain.com err tmm2[19426]: 01220001:3: TCL error: /Common/NP-GeoIP-Spam_Sources_Allow <HTTP_REQUEST> - invalid command name ""     while executing "$ip_reputation_categories contains "Spam Sources""
May  8 13:07:06 waf.domain.com err tmm3[19426]: 01220001:3: TCL error: /Common/NP-GeoIP-Spam_Sources_Allow <HTTP_REQUEST> - invalid command name ""     while executing "$ip_reputation_categories contains "Spam Sources""
May  8 13:07:06 waf.domain.com err tmm3[19426]: 01220001:3: TCL error: /Common/NP-GeoIP-Spam_Sources_Allow <HTTP_REQUEST> - invalid command name ""     while executing "$ip_reputation_categories contains "Spam Sources""
May  8 13:07:06 waf.domain.com err tmm1[19426]: 01220001:3: TCL error: /Common/NP-GeoIP-Spam_Sources_Allow <HTTP_REQUEST> - invalid command name ""     while executing "$ip_reputation_categories contains "Spam Sources""
May  8 13:07:06 waf.domain.com err tmm3[19426]: 01220001:3: TCL error: /Common/NP-GeoIP-Spam_Sources_Allow <HTTP_REQUEST> - invalid command name ""     while executing "$ip_reputation_categories contains "Spam Sources""
May  8 13:07:06 waf.domain.com err tmm2[19426]: 01220001:3: TCL error: /Common/NP-GeoIP-Spam_Sources_Allow <HTTP_REQUEST> - invalid command name ""     while executing "$ip_reputation_categories contains "Spam Sources""



      It seems the iRule is still not valid to check the IPI category variable especially for the 

      [$ip_reputation_categories contains "Spam Sources"]

       

  • SanjayP's avatar
    SanjayP
    Icon for Nacreous rankNacreous
    Apr 26, 2024

    Interesting one.  Never tried it, but you can give a try using below. Let us know how testing goes. (note - please check the country code again)

    when HTTP_REQUEST { 
    set ip_reputation_categories [IP::reputation [IP::client_addr]]
    if {([$ip_reputation_categories contains "Spam Sources"]) and ([[whereis [IP::client_addr] country] equals "NP"])} {
	} else {
	drop
	}
  }

     

    • Nishal_Rai's avatar
      Nishal_Rai
      Icon for Cirrocumulus rankCirrocumulus
      May 01, 2024

      Hi SanjayP

      Thanks for sharing the iRule, but after few minutes of implementing on the virtual server, the corresponding application stopped working. 
       
      Since there were no logs generated on Event Logs > Application, to confirm whether the new requests were being blocked as "Spam Sources" and there no entry related to IPI on "/var/log/ltm" so, it was difficult to address the root cause behind the issue.
      (However when the "Block" mode on "Spam Sources" on IPI was configured, the issue was discovered.)


      So just want to confirm, does the request accepted by iRule is not logged by F5 BIG-IP?
       
      or do we need to add something on iRule to at least flag the request as "illegal" (like just "Alarm" mode) for "Spam Sources" of Nepal geolocation, so that we can troubleshoot.