Help
CodeShare
Have some code. Share some code.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions
Custom Alert Banner

F5 AppWorld 2024 session proposal deadline extended to Friday, December 8th!

Block Log4j with use of IOCs

Niels_van_Sluis
MVP
MVP

on ‎26-Dec-2021 05:44

Problem this snippet solves:

iRule that helps to mitigate the Log4j vulnerability with use of public available IOCs. Currently the following IOCs can be used:


cert-agid.gov.it (Contains scan IP's): https://cert-agid.gov.it/download/log4shell-iocs.txt

NLD Police:  https://thanksforallthefish.nl/log4j_blocklist.txt


These IOCs combined will result in about 25191 IP addresses being blocked.


The plan is to add some more IOCs soon.


Last update: 27 December 2021

How to use this snippet:

This solution makes use of iRulesLX. So first of all you need to provision iRulesLX on your BIG-IP. Then proceed to add the LX Workspace, iRule and Extension.


  • Create LX Workpace: log4j_ioc
  • Add iRule: log4j_ioc_irule
  • Add Extension: log4j_ioc_extension (index.js)
  • Add LX Plugin: log4j_ioc_plugin (from Workspace log4j_ioc)


Install the required NodeJS modules. Use SSH to login to your BIG-IP and install the https and lokijs modules.


# cd /var/ilx/workspaces/Common/log4j_ioc/extensions/log4j_ioc_extension

# nmp install https lokijs --save



Tested this on version:

15.1
Labels:
Version history
Last update:
‎26-Dec-2021 05:44
Updated by:
MVP
Contributors
Copyright © 2023 Khoros, LLC