Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    How/Can pfBlocker process this Ransomware list?

    Scheduled Pinned Locked Moved pfBlockerNG
    13 Posts 5 Posters 4.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • RonpfSR
      RonpfS
      last edited by

      https://ransomwaretracker.abuse.ch/downloads/RW_DOMBL.txt
      and https://ransomwaretracker.abuse.ch/downloads/RW_URLBL.txt can be used in DNSBL

      This one is for IPV4 https://ransomwaretracker.abuse.ch/downloads/RW_IPBL.txt

      2.4.5-RELEASE-p1 (amd64)
      Intel Core2 Quad CPU Q8400 @ 2.66GHz 8GB
      Backup 0.5_5, Bandwidthd 0.7.4_4, Cron 0.3.7_5, pfBlockerNG-devel 3.0.0_16, Status_Traffic_Totals 2.3.1_1, System_Patches 1.2_5

      1 Reply Last reply Reply Quote 0
      • G
        guardian Rebel Alliance
        last edited by

        @RonpfS:

        https://ransomwaretracker.abuse.ch/downloads/RW_DOMBL.txt
        and https://ransomwaretracker.abuse.ch/downloads/RW_URLBL.txt can be used in DNSBL

        This one is for IPV4 https://ransomwaretracker.abuse.ch/downloads/RW_IPBL.txt

        Thanks for the reply RonpfS….

        I've already loaded those, but when I looked at http://ransomwaretracker.abuse.ch/downloads/RW_URLBL.txt it seemed to contain a lot of new/different content from the other two lists which is why I was eager to include it.

        If you find my post useful, please give it a thumbs up!
        pfSense 2.7.2-RELEASE

        1 Reply Last reply Reply Quote 0
        • BBcan177B
          BBcan177 Moderator
          last edited by

          You have two choices:

          1. Add the source to both an IPv4 alias and a DNSBL group and it will collect either the IPv4 addresses or Domains as required.

          2. In DNSBL, when a feed contains IPv4 addresses, you can enable the DNSBL IP option to collect any IPv4 address that it finds. All IPs are combined into a single DNSBL_IP alias that can be used in your firewall rules.

          Also you can add a pfSense local file as a source. Click on the blue infoblock icons for further details.

          "Experience is something you don't get until just after you need it."

          Website: http://pfBlockerNG.com
          Twitter: @BBcan177  #pfBlockerNG
          Reddit: https://www.reddit.com/r/pfBlockerNG/new/

          1 Reply Last reply Reply Quote 0
          • G
            guardian Rebel Alliance
            last edited by

            Thanks for the reply and all your great work on this package BBcan177

            The URL http://ransomwaretracker.abuse.ch/downloads/RW_URLBL.txt produces the following output for IPv4:

            103.27.52.92/8
            103.27.52.92
            108.174.196.88/8
            109.108.129.43
            109.73.234.241
            109.73.234.241
            111.86.142.67
            112.213.84.94
            117.239.70.228/8
            121.83.206.211
            122.15.8.163/7
            139.162.29.193
            158.195.68.10/8
            158.195.68.10
            158.195.68.10
            158.199.158.185
            172.246.84.150
            176.58.124.197
            176.9.41.156
            178.78.87.8
            178.78.87.8
            192.138.189.69/8
            192.138.189.69
            194.28.172.166
            198.1.95.93
            202.210.189.111
            209.41.183.242
            210.118.170.181/8
            210.240.104.2/8
            210.240.104.2
            211.115.110.218
            211.18.200.4
            212.26.129.68
            212.26.129.68
            213.228.128.12
            213.228.128.12
            216.104.183.199
            216.104.188.249/8
            216.104.188.249
            217.172.226.2
            217.26.70.200
            217.64.197.138
            218.228.19.9
            50.28.211.199
            64.207.144.148
            64.22.100.95/7
            66.147.244.210
            67.23.226.139
            69.162.74.116/8
            69.162.74.116
            69.61.11.216
            70.32.93.234
            72.47.222.40
            79.96.153.93/8
            79.96.153.93
            79.96.153.93
            80.109.240.71
            80.241.232.207
            81.218.219.227/8
            83.235.64.44
            83.235.64.44
            85.92.144.157
            87.106.38.204
            87.244.17.86
            88.150.144.236/7
            89.145.78.9
            94.127.33.126/7
            98.131.20.17
            98.131.20.17
            

            As you can see this is a bit dangerous (/7 /8 is a disaster waiting to happen)!
            There are some very funky URLs that start with /7 and /8 that are messing things up.  Possibly the regex needs a bit of tweaking to make delimiters white space or NOT [A-Za-z0-9].  That would likely fix this problem.

            Is there any way to hook a custom downloader?
            If it can't be done already, How about a directory similar to rc.d that runs a script with the name of the Group or the list after it is fetched, but before it is loaded?
            I would think that this would still be secure (as long as the code installed is secure) and I would require code be installed by ssh/scp which presupposes credentials and a minimal level of skill.

            Alternatively can I specify a source from the local file system someway?
            A little harder to work with, but then you don't have to touch pfSense and I can do whatever I want.

            I've had several cases where I couldn't use lists with pfBlocker lists because overrides were too difficult (Try overriding a /18 with /32 & /24 - grepping and pulling the offending line(s) would be so simple):

            I wanted also wanted to try out FIREHOL Level 1 directly from GitHub instead of downloading all the separate lists. I tried it, and it totally killed my system - I think it was because the list contained broadcast addresses that were floating around my network due to double NAT or IOT devices… didn't bother to figure out what the problem was just pulled the list because I expected that override would be way to hard or impossible anyway.

            The FIREHOL anon list is also one that I would like to load, but can't due to the difficulty of unblocking my VPN provider (/18s and multiple ASNs).  Again grepping and removing lines would be easy.

            Comments / suggestions / work arounds / have I overlooked something?

            To be clear, no criticism, just a desire to get info so I can make better use of a great package (and possibly suggest an improvement for a future release if it would be of help to a large enough user group.)

            If you find my post useful, please give it a thumbs up!
            pfSense 2.7.2-RELEASE

            1 Reply Last reply Reply Quote 0
            • BBcan177B
              BBcan177 Moderator
              last edited by

              I will get one of my beta testers to post the new regex to fix that.

              Also there is an IPv4 tunable to limit CIDRs already in the pkg.

              I am away until next week so have limited access to review code.

              "Experience is something you don't get until just after you need it."

              Website: http://pfBlockerNG.com
              Twitter: @BBcan177  #pfBlockerNG
              Reddit: https://www.reddit.com/r/pfBlockerNG/new/

              1 Reply Last reply Reply Quote 0
              • RonpfSR
                RonpfS
                last edited by

                Edit /usr/local/pkg/pfblockerng/pfblockerng.inc around line 4378 you should find :

                	#################################################
                	#	Download and Collect IPv4/IPv6 lists	#
                	#################################################
                
                	// IPv4 REGEX Definitions
                	$pfb['range']	= '/((?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))-((?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))/';
                	$pfb['ipv4']	= '/(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(\/(3[012]|[12]?[0-9]))?/';
                
                	// IPv6 REGEX Definitions - Reference: http://labs.spritelink.net/regex
                

                Change to this

                	#################################################
                	#	Download and Collect IPv4/IPv6 lists	#
                	#################################################
                
                	// IPv4 REGEX Definitions
                	$pfb['range']	= '/((?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))-((?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?))/';
                	//$pfb['ipv4']	= '/(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)(\/(3[012]|[12]?[0-9]))?/';
                	$pfb['ipv4']	= '/(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)((\/(3[012]|[12]?[0-9]))?(?![-0-9a-zA-Z]))/';
                
                	// IPv6 REGEX Definitions - Reference: http://labs.spritelink.net/regex
                

                it should produce this now

                103.27.52.92
                108.174.196.88
                109.108.129.43
                109.73.234.241
                111.86.142.67
                112.213.84.94
                121.83.206.211
                122.15.8.163
                139.162.29.193
                158.195.68.10
                158.199.158.185
                172.246.84.150
                176.58.124.197
                176.9.41.156
                178.78.87.8
                192.138.189.69
                194.28.172.166
                198.1.95.93
                202.210.189.111
                209.41.183.242
                210.118.170.181
                210.240.104.2
                211.115.110.218
                211.18.200.4
                212.26.129.68
                213.228.128.12
                216.104.183.199
                216.104.188.249
                217.26.70.200
                217.64.197.138
                218.228.19.9
                50.28.211.199
                64.207.144.148
                64.22.100.95
                67.23.226.139
                69.162.74.116
                69.61.11.216
                70.32.93.234
                72.47.222.40
                80.241.232.207
                81.218.219.227
                85.92.144.157
                87.106.38.204
                87.244.17.86
                88.150.144.236
                89.145.78.9
                94.127.33.126
                

                BTW These are also present in pfB_DNSBLIP .

                2.4.5-RELEASE-p1 (amd64)
                Intel Core2 Quad CPU Q8400 @ 2.66GHz 8GB
                Backup 0.5_5, Bandwidthd 0.7.4_4, Cron 0.3.7_5, pfBlockerNG-devel 3.0.0_16, Status_Traffic_Totals 2.3.1_1, System_Patches 1.2_5

                1 Reply Last reply Reply Quote 0
                • D
                  doktornotor Banned
                  last edited by

                  @RonpfS:

                  Change to this

                  And that was the "regex is easy" example of the day.

                  1 Reply Last reply Reply Quote 0
                  • G
                    guardian Rebel Alliance
                    last edited by

                    @RonpfS:

                    Edit /usr/local/pkg/pfblockerng/pfblockerng.inc around line 4378 you should find :

                    Thanks RonpfS…. good job... made the edit and it worked just fine.  Had to search for the code block, but on my system there was about 300+ fewer lines:

                    4037        // IPv4 REGEX Definitions

                    I assume you must be using a newer/development version?

                    Anyway great job... thanks.

                    If you find my post useful, please give it a thumbs up!
                    pfSense 2.7.2-RELEASE

                    1 Reply Last reply Reply Quote 0
                    • RonpfSR
                      RonpfS
                      last edited by

                      Yes I am running the development version.

                      I was just helping BBcan177 on this one as he doesn't have easy access to the code.

                      2.4.5-RELEASE-p1 (amd64)
                      Intel Core2 Quad CPU Q8400 @ 2.66GHz 8GB
                      Backup 0.5_5, Bandwidthd 0.7.4_4, Cron 0.3.7_5, pfBlockerNG-devel 3.0.0_16, Status_Traffic_Totals 2.3.1_1, System_Patches 1.2_5

                      1 Reply Last reply Reply Quote 0
                      • BBcan177B
                        BBcan177 Moderator
                        last edited by

                        Thanks for testing the updated regex :)

                        "Experience is something you don't get until just after you need it."

                        Website: http://pfBlockerNG.com
                        Twitter: @BBcan177  #pfBlockerNG
                        Reddit: https://www.reddit.com/r/pfBlockerNG/new/

                        1 Reply Last reply Reply Quote 0
                        • D
                          dcol Banned
                          last edited by

                          Why not just use
                          https://ransomwaretracker.abuse.ch/downloads/RW_IPBL.txt

                          1 Reply Last reply Reply Quote 0
                          • BBcan177B
                            BBcan177 Moderator
                            last edited by

                            @dcol:

                            Why not just use
                            https://ransomwaretracker.abuse.ch/downloads/RW_IPBL.txt

                            They are two different Feeds…

                            The URL and DOM feeds should be used in DNSBL as it contains Domain names.... There are also IPs mixed in, so enabling the DNSBL IP option will also pull those IPs...

                            "Experience is something you don't get until just after you need it."

                            Website: http://pfBlockerNG.com
                            Twitter: @BBcan177  #pfBlockerNG
                            Reddit: https://www.reddit.com/r/pfBlockerNG/new/

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.