PfBlockerNG
-
Yes for sure. BBCan177 I will be making a contribution for your efforts soon. I am a big fan of pfBlockerNG.
Now I am concerned that my leased IP is on a web attackers blacklist. I am hoping to find the time to configure Splunk as a SIEM. In the meantime I am trying to look into a few entries found in the logs to determine the source. I installed the Sysinternals SysMon tool so that I could get a verbose look at network connections originating from my Windows box but I cannot find a few of the entries that are being flagged in pfBlockerNG. Take for instance a http call out to 184.168.229.128 is flagged by the Alienvault blocklist. I thought I could trace back by source port in syslog but it is nowhere to be found in my event logs. Any ideas?
-
Hi Heisenberg1977,
In the Alerts Tab, you can click on the "!" icon for any alerted IP and it will open a second page which does a DNS Resolve. Clicking on "DNS Lookup" will open a page with several Sites where you can lookup the IP to gather some intel.
I am a big fan of "Security Onion"… You should check it out!
http://blog.securityonion.net/p/securityonion.html
https://code.google.com/p/security-onion/wiki/IntroductionToSecurityOnion -
I just found the lookup feature a few minutes before you posted it. Real nice!. I'm still searching for a good Windows tool that will allow me to have a granular look at all network activity. Sysmon's ability to write to the event logs is great as it gives the ability to easily go back and search. It's logging a lot of stuff but my search did not pick up anything with destination address 184.168.x.x unfortunately.
-
Try the pfSense package ntopng…
-
Wow this package has really taken off. I have been away from all of this for a while. I had to reinstall my firewall and noticed that pfblocker (original wasnt a package anymore). I got this installed and I am amazed with what you can do.. I do have a quick question though.. How would i go about pulling all of the custom ips that I had set up in lists in the old pfblocker? I have the backed up config file for pfsense.. Am I able to pull them out of that somehow? I had some very extensive lists that I would like to duplicate on this pacakge without having to manually search and locate all of the ips again…
Good Job on this package bbcan! Sorry i fell off on the beta testing.. just got super busy with work and never had the opportunity to play with it.
-
How would i go about pulling all of the custom ips that I had set up in lists in the old pfblocker?
If you goto Diagnostics:Command Prompt in the GUI -
And in the PHP Execute Box type :
print base64_decode(" coded String ");
So you will need to view the config.xml file (or the Backup file) and find the old pfBlocker Alias and look for the line "coded string" and copy the "coded string" part …
It will output the decoded string to the Screen.
Hope this helps!
-
How would i go about pulling all of the custom ips that I had set up in lists in the old pfblocker?
If you goto Diagnostics:Command Prompt in the GUI -
And in the PHP Execute Box type :
print base64_decode(" Decoded String ");
So you will need to view the config.xml file (or the Backup file) and find the old pfBlocker Alias and look for the line "decoded string" and copy the "decoded string" part …
It will output the decoded string to the Screen.
Hope this helps!
Thanks alot!! I got most of them from that section that all of these are kept at. However when trying to get the custom ips I copied the code that is beteen the and I am getting.
Parse error: syntax error, unexpected end of file in /usr/local/www/exec.php(250) : eval()'d code on line 2
I copied exactly what was there. I used notepad to copy as well as adobe dreamworks since it formats it as it should… same result.. Am i doing it wrong?
===== edit=======Well i just did a round about way.. Since I restored off of the config file, the pfblocker folder is there in my hierarchy.. I went into it and there is a txt file that has the list there.. I just opened it and copied the info out of it.. So I am good now..
Thanks for your help!! -
Parse error: syntax error, unexpected end of file in /usr/local/www/exec.php(250) : eval()'d code on line 2
Make sure the Coded string that you copied is pasted inside the quotation marks and at the end of the command there is the semi-colon.
-
Parse error: syntax error, unexpected end of file in /usr/local/www/exec.php(250) : eval()'d code on line 2
Make sure the Decoded string that you copied is pasted inside the quotation marks and at the end of the command there is the semi-colon.
ah.. that was my mistake.. works like a charm now.. :-D
-
News - Emerging Threats acquired by Proofpoint? Wonder what this means for the Open Rulesets and lists?
https://proofpoint.com/us/proofpoint-signs-definitive-agreement-acquires-emerging-threats?utm_campaign=Project+Erie&utm_source=hs_email&utm_medium=email&utm_content=16303236&_hsenc=p2ANqtz-8E0j1nitfkn_rbVyujlv55UteYuZ9GuEWyH3Wlqv6AeMtvS1oRNnbvgA1qSFYfgAgV456PhtiJ7L2-_RZjlyTZ-EOTWA&_hsmi=16303236
-
Something is strange with the Alias Header.
This is the Alias and Alert tabs.For some reasons on the Alert tab the IP-address is properly indicated as GB, but the list name is wrong.
-
News - Emerging Threats acquired by Proofpoint? Wonder what this means for the Open Rulesets and lists?
Paid 40M in cash and stock. Considering the low price paid, lets say its 20-40 PE, this tells me ET were barely making any dime…
Proofpoint will focus on B2B, business cloud solution and try to make more money. Also, they should cut all ET staffs except the 20 plp working on rules writing and threat analysis...
My two cents.
F.
-
News - Emerging Threats acquired by Proofpoint? Wonder what this means for the Open Rulesets and lists?
Emerging Threats posted this letter committing to continue to support the Open ruleset. Obviously things could change over time, but it's a fairly strong statement.
-
My itch is getting worse….. lol how does one become beta tester for pfsense?
-
My itch is getting worse….. lol how does one become beta tester for pfsense?
pfBlockerNG is available in the packet repo, no need to be a beta tester or anything. All you need is pfSense 2.2.X.
-
lol another case of half-asleep pfsense tinkering. My bad.
-
How often do you update the enabled lists? I'm using pfSense for my home router/firewall with the following lists :
-
How often do you update the enabled lists?
Hi postduif,
In the pfblockerng.log (This can be viewed in the Log Browser), after the downloads are completed, you will see a section called :
"==[ [b]Last Updated List Summary ]=="
This will show you the last updated timestamp of the Threat Sources. You can change the lists to update once per hour and follow the log file for a few days to see the Update Frequency of each list and adjust accordingly.
I would recommend atleast a once a day for most, some are updated more frequently (1-4hrs).
Also the first step in any Cron event is to check the timestamp of the remote server and see if its the same as the previous download, then the download is skipped for that particular list. Also note the blocklist.de has several other lists available (you show only the ssh list).
I have also indicated in several posts in this thread to be more concerned about the "Outbound" traffic.
Typically for "Home" use, you most likely do not have any open ports. As pfSense is a Stateful Firewall by design, it is blocking all unsolicited traffic on the inbound WAN. But if a device on the LAN makes a request to any of these Malicious IPs, it will go thru and not protect your devices as you have not configured any "OUTBOUND" rules. If you do have open WAN ports, then you can add specific Alias Type Rules to protect those individual ports on the "Inbound" WAN.
Hope this helps!
-
So i just finished reading this entire 36 page thread prior to posting any questions when installing/setting up, as I definitely do not consider myself an "engineer." I wanted to thank everyone involved (not just limited to testing) and most notably BBcan177 for his time and effort contributed.
-
How often do you update the enabled lists?
Hi postduif,
In the pfblockerng.log (This can be viewed in the Log Browser), after the downloads are completed, you will see a section called :
"==[ [b]Last Updated List Summary ]=="
This will show you the last updated timestamp of the Threat Sources. You can change the lists to update once per hour and follow the log file for a few days to see the Update Frequency of each list and adjust accordingly.
I would recommend atleast a once a day for most, some are updated more frequently (1-4hrs).
Also the first step in any Cron event is to check the timestamp of the remote server and see if its the same as the previous download, then the download is skipped for that particular list. Also note the blocklist.de has several other lists available (you show only the ssh list).
I have also indicated in several posts in this thread to be more concerned about the "Outbound" traffic.
Typically for "Home" use, you most likely do not have any open ports. As pfSense is a Stateful Firewall by design, it is blocking all unsolicited traffic on the inbound WAN. But if a device on the LAN makes a request to any of these Malicious IPs, it will go thru and not protect your devices as you have not configured any "OUTBOUND" rules. If you do have open WAN ports, then you can add specific Alias Type Rules to protect those individual ports on the "Inbound" WAN.
Hope this helps!
Really helps for understanding pfblockerng, thanks.
The only inbound services i'm using are ssh (on port 6622 which forwards to an internal server on port 22, but is only allowed from a specific source IP) and Openvpn on port 1194.
What's your advice, only use deny_outbound on my lists? Or deny_both?
