Forum Discussion

Petruk_Cemeng_7's avatar
Petruk_Cemeng_7
Icon for Nimbostratus rankNimbostratus
Oct 10, 2012

How to Blocking ULtrasurf?

Hi All,   Is there any irule or configuration on F5 for blocking ultrasurf? I try to use ip intelegence irule on LTM,it did not work because the destination ip address is not registered as bad r...
app sec
BIG-IP Access Policy Manager (APM)
security
nitass's avatar
nitass
Icon for Employee rankEmployee
Oct 11, 2012
The client ssl hello for that pattern is blocked by this irule, there is no server ssl hello. But i dont know why i still see encrypted traffic.have you tried "reset" instead of "drop"?

----> we found error on the ltm log file:

Oct 11 18:13:44 tmm err tmm[7531]: 01220001:3: TCL error: /Common/ultrasurf1 - can't read "payload_hex": no such variable while executing "class match $payload_hex equals signature_clientsslhello"

Oct 11 18:13:44 tmm err tmm[7531]: 01220001:3: TCL error: /Common/ultrasurf1 - can't read "payload_hex": no such variable while executing "class match $payload_hex equals signature_clientsslhello"

Oct 11 18:13:44 tmm err tmm[7531]: 01220001:3: TCL error: /Common/ultrasurf1 - can't read "payload_hex": no such variable while executing "class match $payload_hex equals signature_clientsslhello"you may check if binary scan return 1 before referring to payload_hex variable.

e.g. 

if {[binary scan [TCP::payload 11] H22 payload_hex] == 1} {
   if {[class match $payload_hex equals signature_clientsslhello]} {
      log local0. "payload_hex = $payload_hex"
      drop
   }
}

binary scan

http://wiki.tcl.tk/4180