Forum Discussion
Altostratusirule for IP rejection for malicious IPs
Hi All,
I have implemented a irule to reject requests from IP that is tagged as malicious by the IP intelligence module. We have a custom response page built on the app and whenever a traffic that initiates from a malicious IP I do not want it to get to the response page.
Here is the irule, this doesn't seem to be working as yet
when HTTP_REQUEST { set ip_reputation_categories [IP::reputation [IP::client_addr]] set is_reject 0 if {($ip_reputation_categories contains "Windows Exploits")} { set is_reject 1 } if {($ip_reputation_categories contains "Web Attacks")} { set is_reject 1 } if {($ip_reputation_categories contains "Scanners")} { set is_reject 1 } if {($ip_reputation_categories contains "Phishing Proxies")} { set is_reject 1 } if {($ip_reputation_categories contains "Infected Sources")} { set is_reject 1 } if {($ip_reputation_categories contains "Illegal Websites")} { set is_reject 1 } if {($ip_reputation_categories contains "Denial-of-Service")} { set is_reject 1 } if {($ip_reputation_categories contains "Botnets")} { set is_reject 1 } if {($ip_reputation_categories contains "Anonymous Proxies")} { set is_reject 1 } if {($is_reject)} { log local0. "Attempted access from malicious IP address [IP::client_addr] ($ip_reputation_categories), request was rejected" } }
AneshCirrostratus
create a Data Group [threat_categories_dg] with your reject categories and try the below
when RULE_INIT { set static::threat_categories_dg "threat_categories_dg" } when CLIENT_ACCEPTED { set client_ip [IP::client_addr] set threat_categories [IP::reputation $client_ip] if { [class match $threat_categories contains $static::threat_categories_dg] } { { log local0. "Dropping request. VS IP: [IP::local_addr], Client IP: $client_ip, Threat Category: $threat_categories, Country: [whereis $client_ip country]" } drop } }