Taming the beasts… aka suricata blueprint

BBcan177

I have added a "PATCH" to make the necessary changes to the pfBlocker Widget so that you don't need to modify that file from the shell.

If you don't have the pfSense Package "System Patches", it is available in the pfSense System:Packages list under "System Patches"

Click the "+" Icon to add a new Patch
  Enter a Description (pfBlocker Widget Patch)
  In the Patch Contents Dialog Box - Copy/Paste from my Gist the contents of this
  link below:

[  [b]https://gist.github.com/BBcan17/67e8c456cb399fbe02ee#file-pfblocker-widget-php_patch  ]

Keep the other default settings as is.

Click "Test" and confirm that it can be applied Successfully. Then click "Apply"

In my Gist, is also a "Patch" to Include the pf IP Reputation Blocklists in the "Firewall Logs "!" Lookup functions.

[  [b]https://gist.github.com/BBcan17/67e8c456cb399fbe02ee#file-diag_dns-php_patch  ]

UPDATE:

When Applying a Patch, the File that you want to modify has to be an original pfSense Version for the Patch to be applied successfully.

foetus

@BBcan177:

Out of Curiosity, which Lists did you disable?

Anything related to Spamhaus. Reason is simple, location where my current test setup is already has this filtered on a higher up level. No point doing the same twice :)
I was already using a white-list for my classic pfblocker lists, so that will just be extended (which wont be allot since most anti-spam lists are disabled by default). Its not the reason for disabling them :).

On production networks I'm pretty much gonna use the defaults since most people here and a couple of fellow testers in my area are confirming a low false positives rate.

BBcan177

@foetus:

@BBcan177:

Out of Curiosity, which Lists did you disable?

Anything related to Spamhaus. Reason is simple, location where my current test setup is already has this filtered on a higher up level. No point doing the same twice :)
I was already using a white-list for my classic pfblocker lists, so that will just be extended (which wont be allot since most anti-spam lists are disabled by default). Its not the reason for disabling them :).

On production networks I'm pretty much gonna use the defaults since most people here and a couple of fellow testers in my area are confirming a low false positives rate.

The Spamhaus drop and edrop are also included in the ET Lists, but there are still times where one list hasn't sync'd with the others and there are Gaps. I always like to go to the source of the Lists and use those. IBlock has a lot of references to other lists but they just re-package them.

Its not a lot of extra IPs and I would consider adding them just in case there is any issues from Higher Ups syncing at different times. The Daily Log does help to see how often Lists are updating by looking at the "Count"

Emerging Threats fwip rules.

Raw IPs for the firewall block lists. These come from:

C&C servers identified by Shadowserver (www.shadowserver.org)

Spam nes identified by Spamhaus (www.spamhaus.org)

Top Attackers listed by DShield (www.dshield.org)

More information available at www.emergingthreats.net

Please submit any feedback or ideas to emerging@emergingthreats.net or the emerging-sigs mailing li

Spamhaus also has a Botnet Command and Control List, that is Free but it is not readily available. You need to request access to that for your Downloading IP address and use RSYNC. The code to do that is included in the script. I have been working them, to see if they will just release it like the drop and edrop so it makes it easier.

Its also nice to see that Grepcidr was partially funded by Spamhaus also.

http://www.spamhaus.org/news/article/714/new-ipv6-cidr-searching-tools-released-grepcidrs

I have also been working on Integrating the Script to use the New Emerging Threats IQRISK IP Rep lists. Its currently being beta tested by CINO. Unfortunately they want approx $1400 a year per license for it…  :o :o  But If you are a business, I would recommend that over BS locally install Virus Detection Software.  I know that Bill has also been trying to get them to reduce the price for "Home Use"!

I am also trying to get access to "ShadowServers" Lists, but they are taking forever to approve.

http://www.shadowserver.org/ccfull.php
http://www.shadowserver.org/ccdns.php

If you guys find any bugs in the code or have some "Alternative" Methods to find Offending IPs, I am always open to see if I can make the Script better/more efficient.

BBcan177

@BBcan177:

I have added a "PATCH" to make the necessary changes to the pfBlocker Widget so that you don't need to modify that file from the shell.

If you don't have the pfSense Package "System Patches", it is available in the pfSense System:Packages list under "System Patches"

Click the "+" Icon to add a new Patch
  Enter a Description (pfBlocker Widget Patch)
  In the Patch Contents Dialog Box - Copy/Paste from my Gist the contents of this
  link below:

[  [b]https://gist.github.com/BBcan17/67e8c456cb399fbe02ee#file-pfblocker-widget-php_patch  ]

Keep the other default settings as is.

Click "Test" and confirm that it can be applied Successfully. Then click "Apply"

In my Gist, is also a "Patch" to Include the pf IP Reputation Blocklists in the "Firewall Logs "!" Lookup functions.

[  [b]https://gist.github.com/BBcan17/67e8c456cb399fbe02ee#file-diag_dns-php_patch  ]

Cino has found a small bug in one of the patches.

For the pfBlocker Widget, you will need to click on "Revert" back to previous version.

Edit the patch and copy/paste the new code from my Gist.

Than "Save", "Test", and "Apply"

If you don't Have pfBlocker Installed, you could download the pfIPreputation.widget.php and save that in /usr/local/www/widgets/widgets

And adding it to the Status:Dashboard page with the "+" icon.

NOTE:  For [ [b]  diag_dns.php   ]  Don't forget to change the path to the /pf folder
    from the Patch - /YOUR/BLOCKLIST/FOLDER/*   
    Example  /home/USER/pf/*

UPDATE:

If you are having issues applying the patches, it could be due to copy/paste issues.

You can also use the "URL/Commit ID" in the Patch Edit Menu, and use these Links for each of the patches.

https://gist.githubusercontent.com/BBcan17/67e8c456cb399fbe02ee/raw/f3ca0e1d3dd4a07a21796d033dad06a4ce1cc218/diag_dns.php_PATCH
(Once you "fetch" the patch, you will need to manually edit the path to the [ /pf folder ]
example  [  /home/USER/pf/*  ], then click "Test" and then "Apply". Do not paste any code into the "patch contents" the url will do that.

https://gist.githubusercontent.com/BBcan17/67e8c456cb399fbe02ee/raw/3c3d508cec136788cea6abd98d49d367f9b75b7a/pfBlocker.widget.php_PATCH

UPDATE2:

When Applying a Patch, the File that you want to modify has to be an original pfSense Version for the Patch to be applied successfully.

foetus

and a day later both bing and google are blocked  ;D

A Former User

How are they blocked? Lists or suricata?

BBcan177

If you use the MTA list it's blocking those sites.

That is a malware analysis website and if you take a look at their website you will see how they report their work. Unfortunately Google dns 8.8.8.8 was involved in malware (believe it or not lol)

Add those IPs to a pass list above the Block Rules.

If you added the Diag_dns.php patch, you will see which blacklist is blocking what.

foetus

yea, having issues applying the patch. does not seem to be reading out my lists. out of time today, whitelists ftw.

BBcan177

@foetus:

yea, having issues applying the patch. does not seem to be reading out my lists. out of time today, whitelists ftw.

You need to edit the path in the patch to point to your pf folder.

In pfiprep is a pfdir= path

Make sure the patch has the correct path. If you make changes, you need to revert, make the changes and then re-apply.

If you are still having difficulties with it, send me a PM.

foetus

I cried to quickly. Clean reboot and re-applied. Working as intended :)
And exactly : MTA.txt

Once again nice job with that script. This will really help out.

BBcan177

@foetus:

I cried to quickly. Clean reboot and re-applied. Working as intended :)
And exactly : MTA.txt

Once again nice job with that script. This will really help out.

I cried sometimes while writing the script!!!  ;D

Thanks for the feedback. Really appreciate it. If your using Snort/Suricata, the updated diag_dns.php will also help when you click on the "!" Icon to resolv the Alerted IPs.

I would say that over 90% of the alerts in Snort/Suricata are already being blocked by the Blocklists.

q54e3w

hey guys, thanks to everyone for the work here in developing the code, scripts and instructions in this thread.
Can I check some newb stuff. When I create my aliases, I like to verify they appear right by mouseovering in the Firewall:Rules page, a drop down appears which shows the loaded data sets.
I noticed all my Alias were 2998 lines long which seemed odd as file sizes and data when scripts were running suggested they were larger than this. I checked one script by loading it in via a pfBlocker list and it shows as much larger (142k entries)….Can I check that the Firewall->Alias was of creating aliases doesn't truncate the data set and its just the display thats limited.
Sorry if this is a dumb question - some of this is hard to get your head round first timers.

BBcan177

Hi irj972,

If you run this command:

[  [b]tail -200 download.log  ]

It will show the last 200 lines of the download.log

You will see a section that looks something like this:

Alias Table IP Counts (w/o 1.1.1.1)
–---------------------------
  281343 total
  145545 /usr/local/www/aliastables/IR_SEC3
  51863 /usr/local/www/aliastables/IR_IB
  30389 /usr/local/www/aliastables/IR_PRI1
  27565 /usr/local/www/aliastables/IR_PRI2
  23143 /usr/local/www/aliastables/IR_SEC1
    2351 /usr/local/www/aliastables/IR_TOR
    391 /usr/local/www/aliastables/IR_SEC2
      57 /usr/local/www/aliastables/android
      39 /usr/local/www/aliastables/ponmocup

Forget about the bottom two. But the counts in your list should match what you see in the pfSense Rules Count and/or the widget.

The alias should be in this format:

[ https://127.0.0.1:[port]/aliastables/IR_PRI1 ]

You can also check to see that the alias tables in pfSense are Large enough:

pfSense Table Stats
–-----------------
table-entries hard limit 12000000
Table Usage Count        316805

You can edit the tables size in Advanced:Firewall/NAT:Firewall Max Table Entries

One thing that is odd, is that you have "IR_SEC3" listed in the pfIP_Reputation Window below? Can you explain what that window represents?

q54e3w

I don't know why, its not likely right but my download.log is zero bytes…..
I just re-ran the script and it shows the following...

Alias Table IP Counts (w/o 1.1.1.1)
-----------------------------
  256918 total
  142929 /usr/local/www/aliastables/IR_SEC3
   51854 /usr/local/www/aliastables/IR_IB
   28441 /usr/local/www/aliastables/IR_PRI2
   24370 /usr/local/www/aliastables/IR_SEC1
    4994 /usr/local/www/aliastables/IR_TOR
    3811 /usr/local/www/aliastables/IR_PRI1
     519 /usr/local/www/aliastables/IR_SEC2

Alias Table (Match) IP Counts
-----------------------------
   21218 /usr/local/www/aliastables/IR_Match

pfSense Table Stats
-------------------
table-entries hard limit 10000000
Table Usage Count        897695

I can confirm all lists over 2998 entries (i.e everything other than IR_SEC2) appear to be "capped".

The IR_SEC3 thing is just a comment where i created the alias.

BBcan177

In the script, pfiprep,

There is a line 210, pfupdate=yes

Can you confirm if that is set to "yes"

After the Alias Table list, you will see something that looks like this that shows pfctl Updating the Alias Tables:

**Updating  [ IR_PRI1 ] [  ET_IPrep ET_Comp ET_Block Spamhaus_drop Spamhaus_edrop Spamhaus_CC CIArmy AbuseZeus AbuseSpyeye AbusePalevo dShield_Top dShield_Block SnortBL ISC_top10 Snort64 ]
94 addresses added.

Updating  [ IR_PRI2 ] [  ALIENVAULT Atlas_Attacks Atlas_Botnets Atlas_Fastflux Atlas_Phishing Atlas_Scans Atlas_SSH SRI_Attackers SRI_CC HoneyPot ]
48 addresses added.
61 addresses deleted.

No Updates [ IR_PRI3 ]

No Updates [ IR_SEC1 ]

No Updates [ IR_SEC2 ]

No Updates [ IR_SEC3 ]

No Updates [ IR_IB ]

No Updates [ IR_TOR ]

No Updates [ IR_MAIL ]

No Updates [ IR_CC ]**

q54e3w

this looks right…..

q54e3w

it looks right…..

update was set to yes....

Updating   [ IR_PRI1 ] [  ET_Comp ET_Block Spamhaus_drop Spamhaus_edrop CIArmy AbuseZeus AbuseSpyeye AbusePalevo dShield_Top dShield_Block SnortBL ISC_top10 ]
813 addresses added.

Updating   [ IR_PRI2 ] [  ALIENVAULT Atlas_Attacks Atlas_Botnets Atlas_Fastflux Atlas_Phishing Atlas_Scans Atlas_SSH SRI_Attackers SRI_CC HoneyPot ]
25533 addresses added.
90 addresses deleted.

No Updates [ IR_PRI3 ]

No Updates [ IR_SEC1 ]

No Updates [ IR_SEC2 ]

No Updates [ IR_SEC3 ]

No Updates [ IR_IB ]

No Updates [ IR_TOR ]

No Updates [ IR_MAIL ]

No Updates [ IR_CC ]

looks like the mouseover thing is wrong, to me at least.

BBcan177

Make sure you created the Alias URL Tables correctly. Cino posted his setup here

https://forum.pfsense.org/index.php?topic=78062.msg427132#msg427132

q54e3w

yeah, there's where I copied the setup from, its been a long day so its completely possible Ive screwed something up but it seems basic enough (isn't this where all errors are made, the easy stuff!?)

each rule looks like this….

Edit: Hang on: it says use small IP lists under 3000 there….

and the alias page looks like this.....(not sure why mine shows a section of the data under each rule mind.....version difference with 2.1.4?)

BBcan177

We all make mistakes and I think the issue is that you created a "URL" Alias instead of a "URL Table" Alias.

When its a URL, it has a max amount of IPs that it can hold.

You should also keep the Description the same as the Alias Name, so its easier to see in the Logs and Rules GUI.

Easy Fix…  ;)