For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Block Log4j with use of IOCs

Problem this snippet solves:

iRule that helps to mitigate the Log4j vulnerability with use of public available IOCs. Currently the following IOCs can be used:


cert-agid.gov.it (Contains scan IP's): https://cert-agid.gov.it/download/log4shell-iocs.txt

NLD Police:  https://thanksforallthefish.nl/log4j_blocklist.txt


These IOCs combined will result in about 25191 IP addresses being blocked.


The plan is to add some more IOCs soon.


Last update: 27 December 2021

How to use this snippet:

This solution makes use of iRulesLX. So first of all you need to provision iRulesLX on your BIG-IP. Then proceed to add the LX Workspace, iRule and Extension.


  • Create LX Workpace: log4j_ioc
  • Add iRule: log4j_ioc_irule
  • Add Extension: log4j_ioc_extension (index.js)
  • Add LX Plugin: log4j_ioc_plugin (from Workspace log4j_ioc)


Install the required NodeJS modules. Use SSH to login to your BIG-IP and install the https and lokijs modules.


# cd /var/ilx/workspaces/Common/log4j_ioc/extensions/log4j_ioc_extension

# nmp install https lokijs --save



Tested this on version:

15.1
Published Dec 26, 2021
Version 1.0
ioc
iRulesLX
log4j
LTM
security
No CommentsBe the first to comment