External Logging / Export of Blocked Ip addresses
-
Hey Guys,
Im fairly new to pfsense, and liking what I see.
I am using 22.05-RELEASE (amd64) of pfsense+.
I have almost everything setup as I want however, Im looking at a way of exporting any blocked ip address's. Ideally I want to run it as a cron so that I can either send it via ftp or ssh to another system for checking.
Currently using snort -- should I be using suricata instead ?
Anyone done this yet ? Is there a better way of doing what I want (Which is basically exporting of any blocked ip / detail for futher analysis)..
Thanks in advance, and thanks to all the FAQ's that are posted here !!
-
There is no method for exporting the blocked IP list within the GUI package, but that is something you can do externally using a simple shell script. It would be up to you to write the script and then schedule it via cron.
Caveat: the method described below is how Legacy Blocking Mode operates. If you are using Inline IPS Mode, then nothing stated below is applicable as that mode uses a completely different process. For Inline IPS Mode, you would have to manually parse the alert log file looking for DROP actions.
Snort blocks by making a pfSense system call and adding the IP addresses to be blocked to an internal
pf
(packet filter firewall engine) table called snort2c. There is a built-in hidden firewall rule created by pfSense that blocks all traffic for IP addresses in that table.You can use the
pfctl
utility to dump the contents of the snort2c table. That will be a list of the IP addresses currently being blocked. The documentation for this utility can be found here.This is the command you would need in your script:
/sbin/pfctl -t snort2c -T show
That command will return a list of IP addresses contained in the table, and those IPs are being blocked by the hidden firewall rule I mentioned previously.
-
@bmeeks
Thank you very much for the detailed resonse ! Perfect exactly what I neededThank you again ! Brilliant help !