iRules to manipulate established sessions
Is there a way to use an iRule to close established sessions for a specific source-IP? I'm working on a "Passive" IPS solution that receives data from the F5 via clone-pools and then upon policy violation makes a call to the F5 where an iRule inserts the source-IP of the 'attacker' into a subtable that is then referenced by the VS. If any further connections from that source-IP come in, the connection is denied.
The problem I'm having is that while the clone/inspect/notify process described above is going on (takes probably a second), an attacker can open an additional TCP socket and once it's open, it's not subject to denial via the blacklist. So I'm looking for a way to proactively go through and close any open connections from that source-IP.
Anyone know if this is possible?