Geoff_Gudgeon_3
Mar 02, 2017Nimbostratus
Solved
IP Reputation and iRule
Hi,
Was wondering if I could get some advice on the following iRule that I plan to use to check incoming connections to public facing Virtual Servers. I have confirmed that the F5 in question is getting regular updates from BrightCloud so I want to utilise this local database to check connections coming in to the F5 Virtual Servers.
This code attached was lifted and adjusted a little from an existing F5 article
when HTTP_REQUEST {
set ip_reputation_categories [IP::reputation [IP::client_addr]]
set is_reject 0
if {($ip_reputation_categories contains "Windows Exploits")} {
set is_reject 1 }
if {($ip_reputation_categories contains "Web Attacks")} {
set is_reject 1 }
if {($ip_reputation_categories contains "Botnets")} {
set is_reject 1 }
if {($ip_reputation_categories contains "Scanners")} {
set is_reject 1 }
if {($ip_reputation_categories contains "Denial of Service")} {
set is_reject 1 }
if {($ip_reputation_categories contains "Infected Sources")} {
set is_reject 1 }
if {($ip_reputation_categories contains "Phishing")} {
set is_reject 1 }
if {($ip_reputation_categories contains "Proxy")} {
set is_reject 1 }
if {($is_reject)} {
log local0. "Attempted access from malicious IP address [IP::client_addr] ($ip_reputation_categories), request was rejected" HTTP::respond 200 content "Rejected Request The request was rejected.
Attempted access from malicious IP address" } }
Also just wondering what sort of load this would likely put on the F5 (Viprion 2400) and if there would be any significant performance decrease from dong this.
Cheers
Its your call but I wouldn't bother with a pretty response cause frankly their not worth the effort or the CPU. My version of this is below.
when CLIENT_ACCEPTED { if {[IP::reputation [IP::client_addr]] ne ""} { reject } }