Alias Native Logging

RonpfS

@morgion said in Alias Native Logging:

@ronpfs said in Alias Native Logging:

grep “^77.72.82” /var/db/pfblockerng/permit/.txt /var/db/pfblockerng/original/.orig

grep: /var/db/pfblockerng/permit/.txt: No such file or directory
grep: /var/db/pfblockerng/original/.orig: No such file or directory

Oups missing 2 "*" because I did'nt use a </> Code block

grep “^77.72.82” /var/db/pfblockerng/permit/*.txt  /var/db/pfblockerng/original/*.orig

MORGiON

@ronpfs said in Alias Native Logging:

rep “^77.72.82” /var/db/pfblockerng/permit/.txt /var/db/pfblockerng/original/.orig

No output

MORGiON

@ronpfs said in Alias Native Logging:

@BBcan17 said in [Email] :
In Extra Options, change the Description to something that start with "pfb_"

No effect

RonpfS

@morgion said in Alias Native Logging:

@ronpfs said in Alias Native Logging:

@BBcan17 said in [Email] :
In Extra Options, change the Description to something that start with "pfb_"

No effect

Maybe do a Force Reload IP

Restart the pfBlockerNG firewall filter service

RonpfS

@morgion said in Alias Native Logging:

@ronpfs said in Alias Native Logging:

rep “^77.72.82” /var/db/pfblockerng/permit/.txt /var/db/pfblockerng/original/.orig

No output

grep “^77.72.” /var/db/pfblockerng/permit/*.txt  /var/db/pfblockerng/original/*.orig

It maybe in a big block range.

If you go further down in the Alerts Tab (maybe change the settings to get more alerts) was it in a table as some point in time?

MORGiON

@ronpfs

Still no output from grep

Alerts tab

May 28 11:41:32 WAN pfB_PRI1_v4
(1770009104) TCP-S 77.72.82.71:59854
hostby.ups-gb.co.uk     xxx.xxx.xxx.xxx:59599 
GB ET_Block_v4
77.72.82.0/24

get hit by this one a lot so didn't have to look far, not unknown anymore. also doing full reload now

EDIT: Full reload didn't help

RonpfS

@morgion said in Alias Native Logging:

doing full reload now

If your Permit rules don't generate alerts, try to restart the pfBlockerNG firewall filter service.

You can also peek at the ip_permit.log file.

MORGiON

@ronpfs said in Alias Native Logging:

@morgion said in Alias Native Logging:

doing full reload now

If your Permit rules don't generate alerts, try to restart the pfBlockerNG firewall filter service.

You can also peek at the ip_permit.log file.

Restarted pfBlocker Firewall Filter service, ip_permit.log empty

RonpfS

@morgion said in Alias Native Logging:

@ronpfs said in Alias Native Logging:

rep “^77.72.82” /var/db/pfblockerng/permit/.txt /var/db/pfblockerng/original/.orig

No output

Looks like you don't need the "

grep ^77.72.82 /var/db/pfblockerng/*/*.txt  /var/db/pfblockerng/original/*.orig

MORGiON

@ronpfs said in Alias Native Logging:

grep ^77.72.82 /var/db/pfblockerng//.txt /var/db/pfblockerng/original/*.orig

/var/db/pfblockerng/deny/CINS_army_v4.txt:77.72.82.101
/var/db/pfblockerng/deny/CINS_army_v4.txt:77.72.82.14
/var/db/pfblockerng/deny/CINS_army_v4.txt:77.72.82.19
/var/db/pfblockerng/deny/CINS_army_v4.txt:77.72.82.22
/var/db/pfblockerng/deny/CINS_army_v4.txt:77.72.82.31
/var/db/pfblockerng/deny/ET_Block_v4.txt:77.72.82.0/24
/var/db/pfblockerng/original/Alienvault_v4.orig:77.72.82.19 # Malicious Host
/var/db/pfblockerng/original/Alienvault_v4.orig:77.72.82.22 # Malicious Host
/var/db/pfblockerng/original/Alienvault_v4.orig:77.72.82.72 # Malicious Host
/var/db/pfblockerng/original/Alienvault_v4.orig:77.72.82.88 # Malicious Host
/var/db/pfblockerng/original/Alienvault_v4.orig:77.72.82.125 # Malicious Host
/var/db/pfblockerng/original/Alienvault_v4.orig:77.72.82.59 # Malicious Host
/var/db/pfblockerng/original/Alienvault_v4.orig:77.72.82.101 # Malicious Host
/var/db/pfblockerng/original/Alienvault_v4.orig:77.72.82.14 # Malicious Host
/var/db/pfblockerng/original/Alienvault_v4.orig:77.72.82.48 # Malicious Host
/var/db/pfblockerng/original/Alienvault_v4.orig:77.72.82.91 # Malicious Host
/var/db/pfblockerng/original/Alienvault_v4.orig:77.72.82.31 # Malicious Host
/var/db/pfblockerng/original/BDS_Ban_v4.orig:77.72.82.15
/var/db/pfblockerng/original/BDS_Ban_v4.orig:77.72.82.19
/var/db/pfblockerng/original/BlockListDE_All_v4.orig:77.72.82.15
/var/db/pfblockerng/original/BlockListDE_SSH_v4.orig:77.72.82.15
/var/db/pfblockerng/original/CINS_army_v4.orig:77.72.82.101
/var/db/pfblockerng/original/CINS_army_v4.orig:77.72.82.14
/var/db/pfblockerng/original/CINS_army_v4.orig:77.72.82.19
/var/db/pfblockerng/original/CINS_army_v4.orig:77.72.82.22
/var/db/pfblockerng/original/CINS_army_v4.orig:77.72.82.31
/var/db/pfblockerng/original/DangerRulez_v4.orig:77.72.82.15 # 2018-05-27 10:23:33 21 1486391
/var/db/pfblockerng/original/ET_Block_v4.orig:77.72.82.0/24
/var/db/pfblockerng/original/ET_Comp_v4.orig:77.72.82.15
/var/db/pfblockerng/original/GreenSnow_v4.orig:77.72.82.56
/var/db/pfblockerng/original/GreenSnow_v4.orig:77.72.82.14
/var/db/pfblockerng/original/ISC_Block_v4.orig:77.72.82.0 77.72.82.255 24 1342 NETUP-AS , RU aospan@netup.ru
/var/db/pfblockerng/original/SuspectNetworks_v4.orig:77.72.82.0/24

RonpfS

@morgion said in Alias Native Logging:

ip_permit.log empty

And you see the Permits in FW Logs ?

MORGiON

@ronpfs said in Alias Native Logging:

@morgion said in Alias Native Logging:

ip_permit.log empty

And you see the Permits in FW Logs ?

Yes

RonpfS

@morgion said in Alias Native Logging:

@ronpfs said in Alias Native Logging:

grep ^77.72.82 /var/db/pfblockerng//.txt /var/db/pfblockerng/original/*.orig

/var/db/pfblockerng/deny/CINS_army_v4.txt:77.72.82.101
/var/db/pfblockerng/deny/CINS_army_v4.txt:77.72.82.14
/var/db/pfblockerng/deny/CINS_army_v4.txt:77.72.82.19
/var/db/pfblockerng/deny/CINS_army_v4.txt:77.72.82.22
/var/db/pfblockerng/deny/CINS_army_v4.txt:77.72.82.31
/var/db/pfblockerng/deny/ET_Block_v4.txt:77.72.82.0/24
/var/db/pfblockerng/original/Alienvault_v4.orig:77.72.82.19 # Malicious Host
/var/db/pfblockerng/original/Alienvault_v4.orig:77.72.82.22 # Malicious Host
/var/db/pfblockerng/original/Alienvault_v4.orig:77.72.82.72 # Malicious Host
/var/db/pfblockerng/original/Alienvault_v4.orig:77.72.82.88 # Malicious Host
/var/db/pfblockerng/original/Alienvault_v4.orig:77.72.82.125 # Malicious Host
/var/db/pfblockerng/original/Alienvault_v4.orig:77.72.82.59 # Malicious Host
/var/db/pfblockerng/original/Alienvault_v4.orig:77.72.82.101 # Malicious Host
/var/db/pfblockerng/original/Alienvault_v4.orig:77.72.82.14 # Malicious Host
/var/db/pfblockerng/original/Alienvault_v4.orig:77.72.82.48 # Malicious Host
/var/db/pfblockerng/original/Alienvault_v4.orig:77.72.82.91 # Malicious Host
/var/db/pfblockerng/original/Alienvault_v4.orig:77.72.82.31 # Malicious Host
/var/db/pfblockerng/original/BDS_Ban_v4.orig:77.72.82.15
/var/db/pfblockerng/original/BDS_Ban_v4.orig:77.72.82.19
/var/db/pfblockerng/original/BlockListDE_All_v4.orig:77.72.82.15
/var/db/pfblockerng/original/BlockListDE_SSH_v4.orig:77.72.82.15
/var/db/pfblockerng/original/CINS_army_v4.orig:77.72.82.101
/var/db/pfblockerng/original/CINS_army_v4.orig:77.72.82.14
/var/db/pfblockerng/original/CINS_army_v4.orig:77.72.82.19
/var/db/pfblockerng/original/CINS_army_v4.orig:77.72.82.22
/var/db/pfblockerng/original/CINS_army_v4.orig:77.72.82.31
/var/db/pfblockerng/original/DangerRulez_v4.orig:77.72.82.15 # 2018-05-27 10:23:33 21 1486391
/var/db/pfblockerng/original/ET_Block_v4.orig:77.72.82.0/24
/var/db/pfblockerng/original/ET_Comp_v4.orig:77.72.82.15
/var/db/pfblockerng/original/GreenSnow_v4.orig:77.72.82.56
/var/db/pfblockerng/original/GreenSnow_v4.orig:77.72.82.14
/var/db/pfblockerng/original/ISC_Block_v4.orig:77.72.82.0 77.72.82.255 24 1342 NETUP-AS , RU aospan@netup.ru
/var/db/pfblockerng/original/SuspectNetworks_v4.orig:77.72.82.0/24

Strange as 77.72.82.0/24 include 77.72.82.1 to 77.72.82.254

Do you have suppression enabled ?

MORGiON

@ronpfs Yes but not used (yet)

RonpfS

Can you run

pfctl -vvsr | grep "pf"

MORGiON

@ronpfs said in Alias Native Logging:

pfctl -vvsr | grep "pf"```

no output

RonpfS

@morgion Again a "new" forum qwerk, missing a new line

pfctl -vvsr | grep "pf"

RonpfS

@morgion said in Alias Native Logging:

@ronpfs Yes but not used (yet)

It's done when a Reload IP or Cron update run.
It should have remove the /var/db/pfblockerng/deny/CINS_army_v4.txt entries

I see the same thing on my box with De-Duplication, CIDR Aggregation and Suppression enabled

MORGiON

@ronpfs

Shell Output - pfctl -vvsr | grep "pf"
@127(1770001239) pass quick on igb1 inet proto icmp from any to 10.10.10.1 icmp-type echoreq keep state label "USER_RULE: pfB_DNSBL_Ping"
@128(1770001239) pass quick on igb2 inet proto icmp from any to 10.10.10.1 icmp-type echoreq keep state label "USER_RULE: pfB_DNSBL_Ping"
@129(1770001239) pass quick on igb3 inet proto icmp from any to 10.10.10.1 icmp-type echoreq keep state label "USER_RULE: pfB_DNSBL_Ping"
@130(1770001466) pass quick on igb1 inet proto tcp from any to 10.10.10.1 port = 8081 flags S/SA keep state label "USER_RULE: pfB_DNSBL_Permit"
@131(1770001466) pass quick on igb1 inet proto tcp from any to 10.10.10.1 port = 8443 flags S/SA keep state label "USER_RULE: pfB_DNSBL_Permit"
@132(1770001466) pass quick on igb1 inet proto udp from any to 10.10.10.1 port = 8081 keep state label "USER_RULE: pfB_DNSBL_Permit"
@133(1770001466) pass quick on igb1 inet proto udp from any to 10.10.10.1 port = 8443 keep state label "USER_RULE: pfB_DNSBL_Permit"
@134(1770001466) pass quick on igb2 inet proto tcp from any to 10.10.10.1 port = 8081 flags S/SA keep state label "USER_RULE: pfB_DNSBL_Permit"
@135(1770001466) pass quick on igb2 inet proto tcp from any to 10.10.10.1 port = 8443 flags S/SA keep state label "USER_RULE: pfB_DNSBL_Permit"
@136(1770001466) pass quick on igb2 inet proto udp from any to 10.10.10.1 port = 8081 keep state label "USER_RULE: pfB_DNSBL_Permit"
@137(1770001466) pass quick on igb2 inet proto udp from any to 10.10.10.1 port = 8443 keep state label "USER_RULE: pfB_DNSBL_Permit"
@138(1770001466) pass quick on igb3 inet proto tcp from any to 10.10.10.1 port = 8081 flags S/SA keep state label "USER_RULE: pfB_DNSBL_Permit"
@139(1770001466) pass quick on igb3 inet proto tcp from any to 10.10.10.1 port = 8443 flags S/SA keep state label "USER_RULE: pfB_DNSBL_Permit"
@140(1770001466) pass quick on igb3 inet proto udp from any to 10.10.10.1 port = 8081 keep state label "USER_RULE: pfB_DNSBL_Permit"
@141(1770001466) pass quick on igb3 inet proto udp from any to 10.10.10.1 port = 8443 keep state label "USER_RULE: pfB_DNSBL_Permit"
@142(1770009104) block drop log quick on pppoe0 inet from <pfB_PRI1_v4:17167> to any label "USER_RULE: pfB_PRI1_v4"
@143(1770009128) block drop log quick on pppoe0 inet from <pfB_PRI2_v4:37959> to any label "USER_RULE: pfB_PRI2_v4"
@144(1770009318) block drop log quick on pppoe0 inet from <pfB_PRI3_v4:16803> to any label "USER_RULE: pfB_PRI3_v4"
@145(1770009226) block drop log quick on pppoe0 inet from <pfB_PRI4_v4:14347> to any label "USER_RULE: pfB_PRI4_v4"
@146(1770009208) block drop log quick on pppoe0 inet from <pfB_PRI5_v4:2363> to any label "USER_RULE: pfB_PRI5_v4"
@147(1770008838) block drop log quick on pppoe0 inet from <pfB_MAIL_v4:12149> to any label "USER_RULE: pfB_MAIL_v4"
@148(1770009301) block drop log quick on pppoe0 inet from <pfB_Abuse_PS_v4:2> to any label "USER_RULE: pfB_Abuse_PS_v4"
@149(1770008792) block drop log quick on pppoe0 inet from <pfB_TOR_v4:6703> to any label "USER_RULE: pfB_TOR_v4"
@150(1770009914) block drop log quick on pppoe0 inet from <pfB_Internic_4_v4:13> to any label "USER_RULE: pfB_Internic_4_v4"
@151(1770009587) block drop log quick on pppoe0 inet from <pfB_BlockListDE_v4:155> to any label "USER_RULE: pfB_BlockListDE_v4"
@152(1770009071) block drop log quick on pppoe0 inet from <pfB_DNSBLIP_v4:13203> to any label "USER_RULE: pfB_DNSBLIP_v4"
@153(1770009435) block drop log quick on pppoe0 inet6 from <pfB_PRI1_6_v6:99> to any label "USER_RULE: pfB_PRI1_6_v6"
@154(1770009706) block drop log quick on pppoe0 inet6 from <pfB_Internic_6_v6:13> to any label "USER_RULE: pfB_Internic_6_v6"
@155(1770004209) block return log quick on igb1 inet from any to <pfB_PRI1_v4:17167> label "USER_RULE: pfB_PRI1_v4"
@156(1770004209) block return log quick on igb2 inet from any to <pfB_PRI1_v4:17167> label "USER_RULE: pfB_PRI1_v4"
@157(1770004209) block return log quick on igb3 inet from any to <pfB_PRI1_v4:17167> label "USER_RULE: pfB_PRI1_v4"
@158(1770004233) block return log quick on igb1 inet from any to <pfB_PRI2_v4:37959> label "USER_RULE: pfB_PRI2_v4"
@159(1770004233) block return log quick on igb2 inet from any to <pfB_PRI2_v4:37959> label "USER_RULE: pfB_PRI2_v4"
@160(1770004233) block return log quick on igb3 inet from any to <pfB_PRI2_v4:37959> label "USER_RULE: pfB_PRI2_v4"
@161(1770004423) block return log quick on igb1 inet from any to <pfB_PRI3_v4:16803> label "USER_RULE: pfB_PRI3_v4"
@162(1770004423) block return log quick on igb2 inet from any to <pfB_PRI3_v4:16803> label "USER_RULE: pfB_PRI3_v4"
@163(1770004423) block return log quick on igb3 inet from any to <pfB_PRI3_v4:16803> label "USER_RULE: pfB_PRI3_v4"
@164(1770004331) block return log quick on igb1 inet from any to <pfB_PRI4_v4:14347> label "USER_RULE: pfB_PRI4_v4"
@165(1770004331) block return log quick on igb2 inet from any to <pfB_PRI4_v4:14347> label "USER_RULE: pfB_PRI4_v4"
@166(1770004331) block return log quick on igb3 inet from any to <pfB_PRI4_v4:14347> label "USER_RULE: pfB_PRI4_v4"
@167(1770004313) block return log quick on igb1 inet from any to <pfB_PRI5_v4:2363> label "USER_RULE: pfB_PRI5_v4"
@168(1770004313) block return log quick on igb2 inet from any to <pfB_PRI5_v4:2363> label "USER_RULE: pfB_PRI5_v4"
@169(1770004313) block return log quick on igb3 inet from any to <pfB_PRI5_v4:2363> label "USER_RULE: pfB_PRI5_v4"
@170(1770003943) block return log quick on igb1 inet from any to <pfB_MAIL_v4:12149> label "USER_RULE: pfB_MAIL_v4"
@171(1770003943) block return log quick on igb2 inet from any to <pfB_MAIL_v4:12149> label "USER_RULE: pfB_MAIL_v4"
@172(1770003943) block return log quick on igb3 inet from any to <pfB_MAIL_v4:12149> label "USER_RULE: pfB_MAIL_v4"
@173(1770004406) block return log quick on igb1 inet from any to <pfB_Abuse_PS_v4:2> label "USER_RULE: pfB_Abuse_PS_v4"
@174(1770004406) block return log quick on igb2 inet from any to <pfB_Abuse_PS_v4:2> label "USER_RULE: pfB_Abuse_PS_v4"
@175(1770004406) block return log quick on igb3 inet from any to <pfB_Abuse_PS_v4:2> label "USER_RULE: pfB_Abuse_PS_v4"
@176(1770003897) block return log quick on igb1 inet from any to <pfB_TOR_v4:6703> label "USER_RULE: pfB_TOR_v4"
@177(1770003897) block return log quick on igb2 inet from any to <pfB_TOR_v4:6703> label "USER_RULE: pfB_TOR_v4"
@178(1770003897) block return log quick on igb3 inet from any to <pfB_TOR_v4:6703> label "USER_RULE: pfB_TOR_v4"
@179(1770005019) block return log quick on igb1 inet from any to <pfB_Internic_4_v4:13> label "USER_RULE: pfB_Internic_4_v4"
@180(1770005019) block return log quick on igb2 inet from any to <pfB_Internic_4_v4:13> label "USER_RULE: pfB_Internic_4_v4"
@181(1770005019) block return log quick on igb3 inet from any to <pfB_Internic_4_v4:13> label "USER_RULE: pfB_Internic_4_v4"
@182(1770004692) block return log quick on igb1 inet from any to <pfB_BlockListDE_v4:155> label "USER_RULE: pfB_BlockListDE_v4"
@183(1770004692) block return log quick on igb2 inet from any to <pfB_BlockListDE_v4:155> label "USER_RULE: pfB_BlockListDE_v4"
@184(1770004692) block return log quick on igb3 inet from any to <pfB_BlockListDE_v4:155> label "USER_RULE: pfB_BlockListDE_v4"
@185(1770004176) block return log quick on igb1 inet from any to <pfB_DNSBLIP_v4:13203> label "USER_RULE: pfB_DNSBLIP_v4"
@186(1770004176) block return log quick on igb2 inet from any to <pfB_DNSBLIP_v4:13203> label "USER_RULE: pfB_DNSBLIP_v4"
@187(1770004176) block return log quick on igb3 inet from any to <pfB_DNSBLIP_v4:13203> label "USER_RULE: pfB_DNSBLIP_v4"
@188(1770004540) block return log quick on igb1 inet6 from any to <pfB_PRI1_6_v6:99> label "USER_RULE: pfB_PRI1_6_v6"
@189(1770004540) block return log quick on igb2 inet6 from any to <pfB_PRI1_6_v6:99> label "USER_RULE: pfB_PRI1_6_v6"
@190(1770004540) block return log quick on igb3 inet6 from any to <pfB_PRI1_6_v6:99> label "USER_RULE: pfB_PRI1_6_v6"
@191(1770004811) block return log quick on igb1 inet6 from any to <pfB_Internic_6_v6:13> label "USER_RULE: pfB_Internic_6_v6"
@192(1770004811) block return log quick on igb2 inet6 from any to <pfB_Internic_6_v6:13> label "USER_RULE: pfB_Internic_6_v6"
@193(1770004811) block return log quick on igb3 inet6 from any to <pfB_Internic_6_v6:13> label "USER_RULE: pfB_Internic_6_v6"
@211(1527214027) pass in log quick on pppoe0 reply-to (pppoe0 150.101.32.41) inet proto udp from <pfB_Oceania_v4:6752> to xx.xxx.xxx.xxx port = openvpn keep state label "USER_RULE: pfb_OpenVPN_Remote_Network_Access_wizard"

RonpfS

@morgion It may be a bug that BBcan177 will need to address.

The pfBlockerNG firewall filter service looks for TrackerID 1770* and the pfB_Oceania_v4 is 1527214027.