Block Log4j with use of IOCs

Problem this snippet solves:

iRule that helps to mitigate the Log4j vulnerability with use of public available IOCs. Currently the following IOCs can be used: (Contains scan IP's):

NLD Police:

These IOCs combined will result in about 25191 IP addresses being blocked.

The plan is to add some more IOCs soon.

Last update: 27 December 2021

How to use this snippet:

This solution makes use of iRulesLX. So first of all you need to provision iRulesLX on your BIG-IP. Then proceed to add the LX Workspace, iRule and Extension.

  • Create LX Workpace: log4j_ioc
  • Add iRule: log4j_ioc_irule
  • Add Extension: log4j_ioc_extension (index.js)
  • Add LX Plugin: log4j_ioc_plugin (from Workspace log4j_ioc)

Install the required NodeJS modules. Use SSH to login to your BIG-IP and install the https and lokijs modules.

# cd /var/ilx/workspaces/Common/log4j_ioc/extensions/log4j_ioc_extension

# nmp install https lokijs --save

Tested this on version:

Published Dec 26, 2021
Version 1.0

Was this article helpful?

No CommentsBe the first to comment