PfBlocker - Block Hit Counter
-
Hi Pistolero,
I think I see the issue, for some reason the logs have changed in pfSense or I didn't test it on a singular date. The Date function used a Zero filled value when it needs a single digit variable. Need to change the "d" date variable to an "e" variable.
Change this line
event=$(date +%b" "%d)
to
event=$(date +%b" "%e)
Save and try it again.
-
@BBcan17:
Hi Pistolero,
I think I see the issue, for some reason the logs have changed in pfSense or I didn't test it on a singular date. The Date function used a Zero filled value when it needs a single digit variable. Need to change the "d" date variable to an "e" variable.
Change this line
event=$(date +%b" "%d)
to
event=$(date +%b" "%e)
Save and try it again.
Hi BBcan17, I have the same problem as Pistolero which is no blocks shown. And where do we need to change those line? I cant fin that in pf-log-oneline-option-2.1.1.diff ???
-
Hi Bismarck,
You need to change that in the pfcount script. It's near the top of the script. Line 4.
If you followed the original instructions, you can edit it in the filer package.
-
Works great now! Thanky you!
Command output: pfBlocker Hit Counter (/stuff/pfcount)
==========================================================
The Following Address(es) were Blocked on Interface bce0 on May 661.174.51.200
213.113.206.131==========================================================
pfBlockerEmerging_OPFAS.txt:61.174.51.194/32
pfBlockerEmerging_OPFAS.txt:61.174.51.195/32
pfBlockerEmerging_OPFAS.txt:61.174.51.196/32
pfBlockerEmerging_OPFAS.txt:61.174.51.197/32
pfBlockerEmerging_OPFAS.txt:61.174.51.198/32
pfBlockerEmerging_OPFAS.txt:61.174.51.199/32
pfBlockerEmerging_OPFAS.txt:61.174.51.200/32
pfBlockerEmerging_OPFAS.txt:61.174.51.201/32
pfBlockerEmerging_OPFAS.txt:61.174.51.202/32
pfBlockerEmerging_OPFAS.txt:61.174.51.203/32
pfBlockerEmerging_OPFAS.txt:61.174.51.204/32
pfBlockerEmerging_OPFAS.txt:61.174.51.205/32
pfBlockerEmerging_OPFAS.txt:61.174.51.207/32
pfBlockerEmerging_OPFAS.txt:61.174.51.208/32
pfBlockerEmerging_OPFAS.txt:61.174.51.209/32
pfBlockerEmerging_OPFAS.txt:61.174.51.210/32
pfBlockerEmerging_OPFAS.txt:61.174.51.211/32
pfBlockerEmerging_OPFAS.txt:61.174.51.212/32
pfBlockerEmerging_OPFAS.txt:61.174.51.213/32
pfBlockerEmerging_OPFAS.txt:61.174.51.214/32
pfBlockerEmerging_OPFAS.txt:61.174.51.215/32
pfBlockerEmerging_OPFAS.txt:61.174.51.216/32
pfBlockerEmerging_OPFAS.txt:61.174.51.217/32
pfBlockerEmerging_OPFAS.txt:61.174.51.218/32
pfBlockerEmerging_OPFAS.txt:61.174.51.219/32
pfBlockerEmerging_OPFAS.txt:61.174.51.220/32
pfBlockerEmerging_OPFAS.txt:61.174.51.221/32
pfBlockerEmerging_OPFAS.txt:61.174.51.222/32
pfBlockerEmerging_OPFAS.txt:61.174.51.223/32
pfBlockerEmerging_OPFAS.txt:61.174.51.224/32
pfBlockerEmerging_OPFAS.txt:61.174.51.225/32
pfBlockerEmerging_OPFAS.txt:61.174.51.226/32
pfBlockerEmerging_OPFAS.txt:61.174.51.227/32
pfBlockerEmerging_OPFAS.txt:61.174.51.228/32
pfBlockerEmerging_OPFAS.txt:61.174.51.229/32
pfBlockerEmerging_OPFAS.txt:61.174.51.230/32
pfBlockerEmerging_OPFAS.txt:61.174.51.232/32
pfBlockerEmerging_OPFAS.txt:61.174.51.233/32
pfBlockerEmerging_OPFAS.txt:61.174.51.234/32
pfBlockerEmerging_OPFAS.txt:61.174.51.235/32EVENT [ 61.174.51.200.6000 > 213.252.49.13.22 ]
Blocked IP [ 61.174.51.200 ] on bce0, found [ 1 ] times
–-------------------------------------------------------
IP Address = 61.174.51.200
Threat Level = High
Threat Category = Malware Propagator
Threat Description = Malware scan and infect source
Hostname =
Service Provider = CHINANET-ZJ HUZHOU NODE NETWORK
Domain Name = CHINATELECOM.COM.CN
ASN Number =
ASN Name =
Network Speed = DSL
Country CC = CN
Country = CHINA
Region = ZHEJIANG
City = HANGZHOU
Longitude = 120.161422729492
Latitude = 30.2936496734619==========================================================
Address not found in any current listsEVENT [ 213.113.206.131.1248 > 213.252.49.13.23 ]
Blocked IP [ 213.113.206.131 ] on bce0, found [ 1 ] times
–-------------------------------------------------------
IP Address = 213.113.206.131
Threat Level = Unverified
Threat Category =
Threat Description =
Hostname =
Service Provider = B2 BREDBAND AB
Domain Name = BREDBAND.COM
ASN Number =
ASN Name =
Network Speed = DSL
Country CC = SE
Country = SWEDEN
Region = VARMLANDS LAN
City = KARLSTAD
Longitude = 13.5035696029663
Latitude = 59.3792991638184==========================================================
The Following Address(es) were Blocked on Interface bce1 on May 6==========================================================
The Following Address(es) were Blocked on Interface bce2 on May 6But it would be nice to have just the IPs listed, which are blocked and not all in that segment, see above.
Anyway thank you very much. :)
-
Damn, you're good! That did the trick! Thank you!
@BBcan17:
Hi Pistolero,
I think I see the issue, for some reason the logs have changed in pfSense or I didn't test it on a singular date. The Date function used a Zero filled value when it needs a single digit variable. Need to change the "d" date variable to an "e" variable.
Change this line
event=$(date +%b" "%d)
to
event=$(date +%b" "%e)
Save and try it again.
-
Hi BBcan,
I LOVE YOUR SCRIPT!!!
Can I humbly request the addition of an option to enable name resolution for the IPs listed in the report? It would help me greatly to troubleshoot a stupid app which will not work and I don't know what is blocking it.
Thank you sir!
-
Hi Pistolero,
Thanks. The BotHunter lookup should provide all of the Name Resolution. Typically if it doesn't report some of the details, then the IP is most likely malicious or the Bothunter doesnt have it in its database.
Can you post the IP and the Bothunter report for the one that's causing you an issue?
If you want a quick and dirty method to see what Blocklist has an certain IP, you can do the following command in an SSH shell or from the Diagnostics:Command Prompt.
grep "x.x.x.x" /var/db/aliastables/*
or just search with the (x.x.x.) First Three octets as the IP address you want to find as the address could be in a CIDR Range.
@Bismarck et al
You can modify the script with these lines so it will report less Lines in the output.
The first line has the ^$ii changed to ^$i and the next lines is new.
blist=$(grep ^$i $lists | sed 's//var/db/aliastables// /g')
if [ -z "$blist" ]; then blist=$(grep ^$ii $lists | sed 's//var/db/aliastables// /g'); fi -
Hi BBcan!
I am really missing your awesome script on 2.2! Any idea how to make it work?
Thanks!
-
Check out BBCans recent pfblockerNG package - I think that will do what you want.
-
Hi BBcan!
I am really missing your awesome script on 2.2! Any idea how to make it work?
Thanks!
Its been awhile since I looked at that… Are you using pfBlockerNG? Maybe that will provide all you need?
-
Hi BBcan!
I am really missing your awesome script on 2.2! Any idea how to make it work?
Thanks!
Its been awhile since I looked at that… Are you using pfBlockerNG? Maybe that will provide all you need?
I have tried pfBlockerNG, but I am currently unable to make it work (get the dreaded "-" in the packet list, and multiple errors downloading the lists. If time permits I'll make a post on the NG thread about my woes with it…
Thank you, sir!
-
I've installed then reinstalled pfBlockerNG so many times it would make you laugh. What are the errors your getting and what do the logs say? I started with BB's script, this is it, only better. Yell out and I can quickly get you up an running.
Hi BBcan!
I am really missing your awesome script on 2.2! Any idea how to make it work?
Thanks!
Its been awhile since I looked at that… Are you using pfBlockerNG? Maybe that will provide all you need?
I have tried pfBlockerNG, but I am currently unable to make it work (get the dreaded "-" in the packet list, and multiple errors downloading the lists. If time permits I'll make a post on the NG thread about my woes with it…
Thank you, sir!
-
hi wcrowder!
I really appreciate your offer to assist. I am overseas (In Medellin, Colombia, actually), and will be back home on March 5th. BBCan, as awesome as he is, also offered to help (you guys rock! thank you!).
If you can, It'd be awesome to have a TeamViewer or WebEx session on or after march 5th. If you are unable to, I'll gather logs and shoot 'em over your way. I'm sure it's not working due to something stupid I did :P
Again, thank you and have a great weekend, sir!
