Alias Native Logging

RonpfS

@morgion I guess the reports only search for Auto Rules as it has no way to figure out what are the FWRule TrackerIDs of your rules

MORGiON

@ronpfs That would be my guess, though It used to work pre development version, you just had to ensure logging was enabled for that rule. Im hoping its a bug that BBcan117 will get around to one day. if not it still works great and pfSense/pfBlocker is a fantastic product.

here is a pic of the pfBlocker reports fyi

0_1527468571390_Untitled 2.png

RonpfS

@morgion You can check that the 77.72.82.71 (or 77.72.82 or 77.72.) is in you Permit/Deny/Match/Native db with something like

grep "^77.72.82" /var/db/pfblockerng/permit/*.txt  /var/db/pfblockerng/original/*.orig

RonpfS

@BBcan17 said in [Email] :
In Extra Options, change the Description to something that start with "pfb_"

MORGiON

@ronpfs said in Alias Native Logging:

grep “^77.72.82” /var/db/pfblockerng/permit/.txt /var/db/pfblockerng/original/.orig

grep: /var/db/pfblockerng/permit/.txt: No such file or directory
grep: /var/db/pfblockerng/original/.orig: No such file or directory

RonpfS

@morgion said in Alias Native Logging:

@ronpfs said in Alias Native Logging:

grep “^77.72.82” /var/db/pfblockerng/permit/.txt /var/db/pfblockerng/original/.orig

grep: /var/db/pfblockerng/permit/.txt: No such file or directory
grep: /var/db/pfblockerng/original/.orig: No such file or directory

Oups missing 2 "*" because I did'nt use a </> Code block

grep “^77.72.82” /var/db/pfblockerng/permit/*.txt  /var/db/pfblockerng/original/*.orig

MORGiON

@ronpfs said in Alias Native Logging:

rep “^77.72.82” /var/db/pfblockerng/permit/.txt /var/db/pfblockerng/original/.orig

No output

MORGiON

@ronpfs said in Alias Native Logging:

@BBcan17 said in [Email] :
In Extra Options, change the Description to something that start with "pfb_"

No effect

RonpfS

@morgion said in Alias Native Logging:

@ronpfs said in Alias Native Logging:

@BBcan17 said in [Email] :
In Extra Options, change the Description to something that start with "pfb_"

No effect

Maybe do a Force Reload IP

Restart the pfBlockerNG firewall filter service

RonpfS

@morgion said in Alias Native Logging:

@ronpfs said in Alias Native Logging:

rep “^77.72.82” /var/db/pfblockerng/permit/.txt /var/db/pfblockerng/original/.orig

No output

grep “^77.72.” /var/db/pfblockerng/permit/*.txt  /var/db/pfblockerng/original/*.orig

It maybe in a big block range.

If you go further down in the Alerts Tab (maybe change the settings to get more alerts) was it in a table as some point in time?

MORGiON

@ronpfs

Still no output from grep

Alerts tab

May 28 11:41:32 WAN pfB_PRI1_v4
(1770009104) TCP-S 77.72.82.71:59854
hostby.ups-gb.co.uk xxx.xxx.xxx.xxx:59599
GB ET_Block_v4
77.72.82.0/24

get hit by this one a lot so didn't have to look far, not unknown anymore. also doing full reload now

EDIT: Full reload didn't help

RonpfS

@morgion said in Alias Native Logging:

doing full reload now

If your Permit rules don't generate alerts, try to restart the pfBlockerNG firewall filter service.

You can also peek at the ip_permit.log file.

MORGiON

@ronpfs said in Alias Native Logging:

@morgion said in Alias Native Logging:

doing full reload now

If your Permit rules don't generate alerts, try to restart the pfBlockerNG firewall filter service.

You can also peek at the ip_permit.log file.

Restarted pfBlocker Firewall Filter service, ip_permit.log empty

RonpfS

@morgion said in Alias Native Logging:

@ronpfs said in Alias Native Logging:

rep “^77.72.82” /var/db/pfblockerng/permit/.txt /var/db/pfblockerng/original/.orig

No output

Looks like you don't need the "

grep ^77.72.82 /var/db/pfblockerng/*/*.txt  /var/db/pfblockerng/original/*.orig

MORGiON

@ronpfs said in Alias Native Logging:

grep ^77.72.82 /var/db/pfblockerng//.txt /var/db/pfblockerng/original/*.orig

/var/db/pfblockerng/deny/CINS_army_v4.txt:77.72.82.101
/var/db/pfblockerng/deny/CINS_army_v4.txt:77.72.82.14
/var/db/pfblockerng/deny/CINS_army_v4.txt:77.72.82.19
/var/db/pfblockerng/deny/CINS_army_v4.txt:77.72.82.22
/var/db/pfblockerng/deny/CINS_army_v4.txt:77.72.82.31
/var/db/pfblockerng/deny/ET_Block_v4.txt:77.72.82.0/24
/var/db/pfblockerng/original/Alienvault_v4.orig:77.72.82.19 # Malicious Host
/var/db/pfblockerng/original/Alienvault_v4.orig:77.72.82.22 # Malicious Host
/var/db/pfblockerng/original/Alienvault_v4.orig:77.72.82.72 # Malicious Host
/var/db/pfblockerng/original/Alienvault_v4.orig:77.72.82.88 # Malicious Host
/var/db/pfblockerng/original/Alienvault_v4.orig:77.72.82.125 # Malicious Host
/var/db/pfblockerng/original/Alienvault_v4.orig:77.72.82.59 # Malicious Host
/var/db/pfblockerng/original/Alienvault_v4.orig:77.72.82.101 # Malicious Host
/var/db/pfblockerng/original/Alienvault_v4.orig:77.72.82.14 # Malicious Host
/var/db/pfblockerng/original/Alienvault_v4.orig:77.72.82.48 # Malicious Host
/var/db/pfblockerng/original/Alienvault_v4.orig:77.72.82.91 # Malicious Host
/var/db/pfblockerng/original/Alienvault_v4.orig:77.72.82.31 # Malicious Host
/var/db/pfblockerng/original/BDS_Ban_v4.orig:77.72.82.15
/var/db/pfblockerng/original/BDS_Ban_v4.orig:77.72.82.19
/var/db/pfblockerng/original/BlockListDE_All_v4.orig:77.72.82.15
/var/db/pfblockerng/original/BlockListDE_SSH_v4.orig:77.72.82.15
/var/db/pfblockerng/original/CINS_army_v4.orig:77.72.82.101
/var/db/pfblockerng/original/CINS_army_v4.orig:77.72.82.14
/var/db/pfblockerng/original/CINS_army_v4.orig:77.72.82.19
/var/db/pfblockerng/original/CINS_army_v4.orig:77.72.82.22
/var/db/pfblockerng/original/CINS_army_v4.orig:77.72.82.31
/var/db/pfblockerng/original/DangerRulez_v4.orig:77.72.82.15 # 2018-05-27 10:23:33 21 1486391
/var/db/pfblockerng/original/ET_Block_v4.orig:77.72.82.0/24
/var/db/pfblockerng/original/ET_Comp_v4.orig:77.72.82.15
/var/db/pfblockerng/original/GreenSnow_v4.orig:77.72.82.56
/var/db/pfblockerng/original/GreenSnow_v4.orig:77.72.82.14
/var/db/pfblockerng/original/ISC_Block_v4.orig:77.72.82.0 77.72.82.255 24 1342 NETUP-AS , RU aospan@netup.ru
/var/db/pfblockerng/original/SuspectNetworks_v4.orig:77.72.82.0/24

RonpfS

@morgion said in Alias Native Logging:

ip_permit.log empty

And you see the Permits in FW Logs ?

MORGiON

@ronpfs said in Alias Native Logging:

@morgion said in Alias Native Logging:

ip_permit.log empty

And you see the Permits in FW Logs ?

Yes

RonpfS

@morgion said in Alias Native Logging:

@ronpfs said in Alias Native Logging:

grep ^77.72.82 /var/db/pfblockerng//.txt /var/db/pfblockerng/original/*.orig

/var/db/pfblockerng/deny/CINS_army_v4.txt:77.72.82.101
/var/db/pfblockerng/deny/CINS_army_v4.txt:77.72.82.14
/var/db/pfblockerng/deny/CINS_army_v4.txt:77.72.82.19
/var/db/pfblockerng/deny/CINS_army_v4.txt:77.72.82.22
/var/db/pfblockerng/deny/CINS_army_v4.txt:77.72.82.31
/var/db/pfblockerng/deny/ET_Block_v4.txt:77.72.82.0/24
/var/db/pfblockerng/original/Alienvault_v4.orig:77.72.82.19 # Malicious Host
/var/db/pfblockerng/original/Alienvault_v4.orig:77.72.82.22 # Malicious Host
/var/db/pfblockerng/original/Alienvault_v4.orig:77.72.82.72 # Malicious Host
/var/db/pfblockerng/original/Alienvault_v4.orig:77.72.82.88 # Malicious Host
/var/db/pfblockerng/original/Alienvault_v4.orig:77.72.82.125 # Malicious Host
/var/db/pfblockerng/original/Alienvault_v4.orig:77.72.82.59 # Malicious Host
/var/db/pfblockerng/original/Alienvault_v4.orig:77.72.82.101 # Malicious Host
/var/db/pfblockerng/original/Alienvault_v4.orig:77.72.82.14 # Malicious Host
/var/db/pfblockerng/original/Alienvault_v4.orig:77.72.82.48 # Malicious Host
/var/db/pfblockerng/original/Alienvault_v4.orig:77.72.82.91 # Malicious Host
/var/db/pfblockerng/original/Alienvault_v4.orig:77.72.82.31 # Malicious Host
/var/db/pfblockerng/original/BDS_Ban_v4.orig:77.72.82.15
/var/db/pfblockerng/original/BDS_Ban_v4.orig:77.72.82.19
/var/db/pfblockerng/original/BlockListDE_All_v4.orig:77.72.82.15
/var/db/pfblockerng/original/BlockListDE_SSH_v4.orig:77.72.82.15
/var/db/pfblockerng/original/CINS_army_v4.orig:77.72.82.101
/var/db/pfblockerng/original/CINS_army_v4.orig:77.72.82.14
/var/db/pfblockerng/original/CINS_army_v4.orig:77.72.82.19
/var/db/pfblockerng/original/CINS_army_v4.orig:77.72.82.22
/var/db/pfblockerng/original/CINS_army_v4.orig:77.72.82.31
/var/db/pfblockerng/original/DangerRulez_v4.orig:77.72.82.15 # 2018-05-27 10:23:33 21 1486391
/var/db/pfblockerng/original/ET_Block_v4.orig:77.72.82.0/24
/var/db/pfblockerng/original/ET_Comp_v4.orig:77.72.82.15
/var/db/pfblockerng/original/GreenSnow_v4.orig:77.72.82.56
/var/db/pfblockerng/original/GreenSnow_v4.orig:77.72.82.14
/var/db/pfblockerng/original/ISC_Block_v4.orig:77.72.82.0 77.72.82.255 24 1342 NETUP-AS , RU aospan@netup.ru
/var/db/pfblockerng/original/SuspectNetworks_v4.orig:77.72.82.0/24

Strange as 77.72.82.0/24 include 77.72.82.1 to 77.72.82.254

Do you have suppression enabled ?

MORGiON

@ronpfs Yes but not used (yet)

RonpfS

Can you run

pfctl -vvsr | grep "pf"