Alias Native Logging

RonpfS

@morgion It's also become Unknown when it's no longer in any DNSBL tables.

So when it find an alert in the dnsbl.log file, it will display it in the Report tab even if it's no longer in any feed.

Can you hit the ^0 besides Quote in this forum (This will give me the minimum 3 Reputations so I don't have to wait "120 Sec" between post)

MORGiON

Just flicked through Diag/Tables all the pfb ip tables are populated.

Also included my Openvpn rules to show how it was setup

RonpfS

@morgion I guess the reports only search for Auto Rules as it has no way to figure out what are the FWRule TrackerIDs of your rules

MORGiON

@ronpfs That would be my guess, though It used to work pre development version, you just had to ensure logging was enabled for that rule. Im hoping its a bug that BBcan117 will get around to one day. if not it still works great and pfSense/pfBlocker is a fantastic product.

here is a pic of the pfBlocker reports fyi

RonpfS

@morgion You can check that the 77.72.82.71 (or 77.72.82 or 77.72.) is in you Permit/Deny/Match/Native db with something like

grep "^77.72.82" /var/db/pfblockerng/permit/*.txt  /var/db/pfblockerng/original/*.orig

RonpfS

@BBcan17 said in [Email] :
In Extra Options, change the Description to something that start with "pfb_"

MORGiON

@ronpfs said in Alias Native Logging:

grep “^77.72.82” /var/db/pfblockerng/permit/.txt /var/db/pfblockerng/original/.orig

grep: /var/db/pfblockerng/permit/.txt: No such file or directory
grep: /var/db/pfblockerng/original/.orig: No such file or directory

RonpfS

@morgion said in Alias Native Logging:

@ronpfs said in Alias Native Logging:

grep “^77.72.82” /var/db/pfblockerng/permit/.txt /var/db/pfblockerng/original/.orig

grep: /var/db/pfblockerng/permit/.txt: No such file or directory
grep: /var/db/pfblockerng/original/.orig: No such file or directory

Oups missing 2 "*" because I did'nt use a </> Code block

grep “^77.72.82” /var/db/pfblockerng/permit/*.txt  /var/db/pfblockerng/original/*.orig

MORGiON

@ronpfs said in Alias Native Logging:

rep “^77.72.82” /var/db/pfblockerng/permit/.txt /var/db/pfblockerng/original/.orig

No output

MORGiON

@ronpfs said in Alias Native Logging:

@BBcan17 said in [Email] :
In Extra Options, change the Description to something that start with "pfb_"

No effect

RonpfS

@morgion said in Alias Native Logging:

@ronpfs said in Alias Native Logging:

@BBcan17 said in [Email] :
In Extra Options, change the Description to something that start with "pfb_"

No effect

Maybe do a Force Reload IP

Restart the pfBlockerNG firewall filter service

RonpfS

@morgion said in Alias Native Logging:

@ronpfs said in Alias Native Logging:

rep “^77.72.82” /var/db/pfblockerng/permit/.txt /var/db/pfblockerng/original/.orig

No output

grep “^77.72.” /var/db/pfblockerng/permit/*.txt  /var/db/pfblockerng/original/*.orig

It maybe in a big block range.

If you go further down in the Alerts Tab (maybe change the settings to get more alerts) was it in a table as some point in time?

MORGiON

@ronpfs

Still no output from grep

Alerts tab

May 28 11:41:32 WAN pfB_PRI1_v4
(1770009104) TCP-S 77.72.82.71:59854
hostby.ups-gb.co.uk     xxx.xxx.xxx.xxx:59599 
GB ET_Block_v4
77.72.82.0/24

get hit by this one a lot so didn't have to look far, not unknown anymore. also doing full reload now

EDIT: Full reload didn't help

RonpfS

@morgion said in Alias Native Logging:

doing full reload now

If your Permit rules don't generate alerts, try to restart the pfBlockerNG firewall filter service.

You can also peek at the ip_permit.log file.

MORGiON

@ronpfs said in Alias Native Logging:

@morgion said in Alias Native Logging:

doing full reload now

If your Permit rules don't generate alerts, try to restart the pfBlockerNG firewall filter service.

You can also peek at the ip_permit.log file.

Restarted pfBlocker Firewall Filter service, ip_permit.log empty

RonpfS

@morgion said in Alias Native Logging:

@ronpfs said in Alias Native Logging:

rep “^77.72.82” /var/db/pfblockerng/permit/.txt /var/db/pfblockerng/original/.orig

No output

Looks like you don't need the "

grep ^77.72.82 /var/db/pfblockerng/*/*.txt  /var/db/pfblockerng/original/*.orig

MORGiON

@ronpfs said in Alias Native Logging:

grep ^77.72.82 /var/db/pfblockerng//.txt /var/db/pfblockerng/original/*.orig

/var/db/pfblockerng/deny/CINS_army_v4.txt:77.72.82.101
/var/db/pfblockerng/deny/CINS_army_v4.txt:77.72.82.14
/var/db/pfblockerng/deny/CINS_army_v4.txt:77.72.82.19
/var/db/pfblockerng/deny/CINS_army_v4.txt:77.72.82.22
/var/db/pfblockerng/deny/CINS_army_v4.txt:77.72.82.31
/var/db/pfblockerng/deny/ET_Block_v4.txt:77.72.82.0/24
/var/db/pfblockerng/original/Alienvault_v4.orig:77.72.82.19 # Malicious Host
/var/db/pfblockerng/original/Alienvault_v4.orig:77.72.82.22 # Malicious Host
/var/db/pfblockerng/original/Alienvault_v4.orig:77.72.82.72 # Malicious Host
/var/db/pfblockerng/original/Alienvault_v4.orig:77.72.82.88 # Malicious Host
/var/db/pfblockerng/original/Alienvault_v4.orig:77.72.82.125 # Malicious Host
/var/db/pfblockerng/original/Alienvault_v4.orig:77.72.82.59 # Malicious Host
/var/db/pfblockerng/original/Alienvault_v4.orig:77.72.82.101 # Malicious Host
/var/db/pfblockerng/original/Alienvault_v4.orig:77.72.82.14 # Malicious Host
/var/db/pfblockerng/original/Alienvault_v4.orig:77.72.82.48 # Malicious Host
/var/db/pfblockerng/original/Alienvault_v4.orig:77.72.82.91 # Malicious Host
/var/db/pfblockerng/original/Alienvault_v4.orig:77.72.82.31 # Malicious Host
/var/db/pfblockerng/original/BDS_Ban_v4.orig:77.72.82.15
/var/db/pfblockerng/original/BDS_Ban_v4.orig:77.72.82.19
/var/db/pfblockerng/original/BlockListDE_All_v4.orig:77.72.82.15
/var/db/pfblockerng/original/BlockListDE_SSH_v4.orig:77.72.82.15
/var/db/pfblockerng/original/CINS_army_v4.orig:77.72.82.101
/var/db/pfblockerng/original/CINS_army_v4.orig:77.72.82.14
/var/db/pfblockerng/original/CINS_army_v4.orig:77.72.82.19
/var/db/pfblockerng/original/CINS_army_v4.orig:77.72.82.22
/var/db/pfblockerng/original/CINS_army_v4.orig:77.72.82.31
/var/db/pfblockerng/original/DangerRulez_v4.orig:77.72.82.15 # 2018-05-27 10:23:33 21 1486391
/var/db/pfblockerng/original/ET_Block_v4.orig:77.72.82.0/24
/var/db/pfblockerng/original/ET_Comp_v4.orig:77.72.82.15
/var/db/pfblockerng/original/GreenSnow_v4.orig:77.72.82.56
/var/db/pfblockerng/original/GreenSnow_v4.orig:77.72.82.14
/var/db/pfblockerng/original/ISC_Block_v4.orig:77.72.82.0 77.72.82.255 24 1342 NETUP-AS , RU aospan@netup.ru
/var/db/pfblockerng/original/SuspectNetworks_v4.orig:77.72.82.0/24

RonpfS

@morgion said in Alias Native Logging:

ip_permit.log empty

And you see the Permits in FW Logs ?

MORGiON

@ronpfs said in Alias Native Logging:

@morgion said in Alias Native Logging:

ip_permit.log empty

And you see the Permits in FW Logs ?

Yes

RonpfS

@morgion said in Alias Native Logging:

@ronpfs said in Alias Native Logging:

grep ^77.72.82 /var/db/pfblockerng//.txt /var/db/pfblockerng/original/*.orig

/var/db/pfblockerng/deny/CINS_army_v4.txt:77.72.82.101
/var/db/pfblockerng/deny/CINS_army_v4.txt:77.72.82.14
/var/db/pfblockerng/deny/CINS_army_v4.txt:77.72.82.19
/var/db/pfblockerng/deny/CINS_army_v4.txt:77.72.82.22
/var/db/pfblockerng/deny/CINS_army_v4.txt:77.72.82.31
/var/db/pfblockerng/deny/ET_Block_v4.txt:77.72.82.0/24
/var/db/pfblockerng/original/Alienvault_v4.orig:77.72.82.19 # Malicious Host
/var/db/pfblockerng/original/Alienvault_v4.orig:77.72.82.22 # Malicious Host
/var/db/pfblockerng/original/Alienvault_v4.orig:77.72.82.72 # Malicious Host
/var/db/pfblockerng/original/Alienvault_v4.orig:77.72.82.88 # Malicious Host
/var/db/pfblockerng/original/Alienvault_v4.orig:77.72.82.125 # Malicious Host
/var/db/pfblockerng/original/Alienvault_v4.orig:77.72.82.59 # Malicious Host
/var/db/pfblockerng/original/Alienvault_v4.orig:77.72.82.101 # Malicious Host
/var/db/pfblockerng/original/Alienvault_v4.orig:77.72.82.14 # Malicious Host
/var/db/pfblockerng/original/Alienvault_v4.orig:77.72.82.48 # Malicious Host
/var/db/pfblockerng/original/Alienvault_v4.orig:77.72.82.91 # Malicious Host
/var/db/pfblockerng/original/Alienvault_v4.orig:77.72.82.31 # Malicious Host
/var/db/pfblockerng/original/BDS_Ban_v4.orig:77.72.82.15
/var/db/pfblockerng/original/BDS_Ban_v4.orig:77.72.82.19
/var/db/pfblockerng/original/BlockListDE_All_v4.orig:77.72.82.15
/var/db/pfblockerng/original/BlockListDE_SSH_v4.orig:77.72.82.15
/var/db/pfblockerng/original/CINS_army_v4.orig:77.72.82.101
/var/db/pfblockerng/original/CINS_army_v4.orig:77.72.82.14
/var/db/pfblockerng/original/CINS_army_v4.orig:77.72.82.19
/var/db/pfblockerng/original/CINS_army_v4.orig:77.72.82.22
/var/db/pfblockerng/original/CINS_army_v4.orig:77.72.82.31
/var/db/pfblockerng/original/DangerRulez_v4.orig:77.72.82.15 # 2018-05-27 10:23:33 21 1486391
/var/db/pfblockerng/original/ET_Block_v4.orig:77.72.82.0/24
/var/db/pfblockerng/original/ET_Comp_v4.orig:77.72.82.15
/var/db/pfblockerng/original/GreenSnow_v4.orig:77.72.82.56
/var/db/pfblockerng/original/GreenSnow_v4.orig:77.72.82.14
/var/db/pfblockerng/original/ISC_Block_v4.orig:77.72.82.0 77.72.82.255 24 1342 NETUP-AS , RU aospan@netup.ru
/var/db/pfblockerng/original/SuspectNetworks_v4.orig:77.72.82.0/24

Strange as 77.72.82.0/24 include 77.72.82.1 to 77.72.82.254

Do you have suppression enabled ?