Forum Discussion
Petruk_Cemeng_7
Nimbostratus
NimbostratusHow to Blocking ULtrasurf?
Hi All,
Is there any irule or configuration on F5 for blocking ultrasurf? I try to use ip intelegence irule on LTM,it did not work because the destination ip address is not registered as bad r...
hoolio
Cirrostratus
CirrostratusAlso, I'm not sure if you want to continuously collect the payloads. Can you collect enough bytes just once in the initial connection to find the bad byte pattern?
when CLIENT_ACCEPTED {
if { [class match [IP::local_addr] equals block_ip_ultrasurf ] } {
log local0. "block ip = [IP::local_addr]"
drop
} elseif {[TCP::local_port] == 443} {
TCP::collect 100
}
}
when CLIENT_DATA {
binary scan [TCP::payload] H* payload_hex
log local0. "payload_hex ([string length $payload_hex] chars) = $payload_hex"
if {[class match $payload_hex contains signature_clientsslhello]} {
drop
}
TCP::release
}
Aaron
