Forum Discussion

kcobean_191923's avatar
kcobean_191923
Icon for Nimbostratus rankNimbostratus
Apr 22, 2015

iRules to manipulate established sessions

Is there a way to use an iRule to close established sessions for a specific source-IP? I'm working on a "Passive" IPS solution that receives data from the F5 via clone-pools and then upon policy violation makes a call to the F5 where an iRule inserts the source-IP of the 'attacker' into a subtable that is then referenced by the VS. If any further connections from that source-IP come in, the connection is denied.

 

The problem I'm having is that while the clone/inspect/notify process described above is going on (takes probably a second), an attacker can open an additional TCP socket and once it's open, it's not subject to denial via the blacklist. So I'm looking for a way to proactively go through and close any open connections from that source-IP.

 

Anyone know if this is possible?

 

1 Reply

  • So I'm looking for a way to proactively go through and close any open connections from that source-IP.

     

    have you checked icall? is it usable?