Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Phishtank list download fail

    Scheduled Pinned Locked Moved pfBlockerNG
    35 Posts 4 Posters 2.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • provelsP
      provels @revengineer
      last edited by

      @revengineer
      Tried HTTPS? I was able to add the https://data.phishtank.com/data/online-valid.csv.bz2
      from the pfB Feeds page and for the heck of it registered for an API key and added it to the link. Ran w/o error on Force/Reload and Cron. That's the same list, just a different format, right?
      bf140d68-b617-417a-85ae-82d01d6f3927-image.png

      Peder

      MAIN - pfSense+ 24.11-RELEASE - Adlink MXE-5401, i7, 16 GB RAM, 64 GB SSD. 500 GB HDD for SyslogNG
      BACKUP - pfSense+ 23.01-RELEASE - Hyper-V Virtual Machine, Gen 1, 2 v-CPUs, 3 GB RAM, 8GB VHDX (Dynamic)

      R 1 Reply Last reply Reply Quote 0
      • R
        revengineer @provels
        last edited by

        @provels Good point. I did not write but did indeed try many combinations. For the https case with .bz extension, I get

        curl -v https://data.phishtank.com/data/<api_key>/online-valid.csv.bz2
        *   Trying 104.16.101.75:443...
        * TCP_NODELAY set
        * Connected to data.phishtank.com (104.16.101.75) port 443 (#0)
        * ALPN, offering h2
        * ALPN, offering http/1.1
        * Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
        * successfully set certificate verify locations:
        *   CAfile: /usr/local/share/certs/ca-root-nss.crt
          CApath: none
        * TLSv1.2 (OUT), TLS header, Certificate Status (22):
        * TLSv1.2 (OUT), TLS handshake, Client hello (1):
        * TLSv1.2 (IN), TLS handshake, Server hello (2):
        * TLSv1.2 (IN), TLS handshake, Certificate (11):
        * TLSv1.2 (IN), TLS handshake, Server key exchange (12):
        * TLSv1.2 (IN), TLS handshake, Server finished (14):
        * TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
        * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
        * TLSv1.2 (OUT), TLS handshake, Finished (20):
        * TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
        * TLSv1.2 (IN), TLS handshake, Finished (20):
        * SSL connection using TLSv1.2 / ECDHE-ECDSA-AES128-GCM-SHA256
        * ALPN, server accepted to use h2
        * Server certificate:
        *  subject: C=US; ST=CA; L=San Francisco; O=Cloudflare, Inc.; CN=sni.cloudflaressl.com
        *  start date: Aug 17 00:00:00 2020 GMT
        *  expire date: Aug 17 12:00:00 2021 GMT
        *  subjectAltName: host "data.phishtank.com" matched cert's "*.phishtank.com"
        *  issuer: C=US; O=Cloudflare, Inc.; CN=Cloudflare Inc ECC CA-3
        *  SSL certificate verify ok.
        * Using HTTP2, server supports multi-use
        * Connection state changed (HTTP/2 confirmed)
        * Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
        * Using Stream ID: 1 (easy handle 0x803abb800)
        > GET /data/<api_key>/online-valid.csv.bz2 HTTP/2
        > Host: data.phishtank.com
        > user-agent: curl/7.68.0
        > accept: */*
        >
        * Connection state changed (MAX_CONCURRENT_STREAMS == 256)!
        < HTTP/2 302
        < date: Sat, 21 Nov 2020 13:26:33 GMT
        < content-type: text/html; charset=UTF-8
        < set-cookie: __cfduid=de8c92bb34f744f36bf09f5cfa9c6a7c21605965193; expires=Mon, 21-Dec-20 13:26:33 GMT; path=/; domain=.phishtank.com; HttpOnly; SameSite=Lax; Secure
        < x-request-limit-interval: 10800 Seconds
        < x-request-limit: 12
        < x-request-count: 1
        < location: https://d1750zhbc38ec0.cloudfront.net/datadumps/verified_online.csv.bz2?Expires=1605965203&Signature=efXCsFqG1q8UlLtJihn7Nj6fXJRyjTjXVq96b2gvsnAhyOiM9Kfv4mpuCfY...[ABBREVIATED]
        < cf-cache-status: DYNAMIC
        < cf-request-id: 068c953aa400002acc66ad6000000001
        < expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
        < strict-transport-security: max-age=15552000
        < server: cloudflare
        < cf-ray: 5f5abe3ddf3e2acc-IAD
        <
        * Connection #0 to host data.phishtank.com left intact
        
        1 Reply Last reply Reply Quote 0
        • R
          revengineer
          last edited by

          I have tried downloading the feed from an Ubuntu server as well. The curl command fails in the same manner, wget command works.

          @provels I think it may be time for me to contact the PhishTank folks. for comparison, can you post your "curl -v" output?

          provelsP 1 Reply Last reply Reply Quote 0
          • provelsP
            provels @revengineer
            last edited by provels

            @revengineer said in Phishtank list download fail:

            curl -v

            curl -v https://data.phishtank.com/data/<api-key>/online-valid.csv.bz2
            *   Trying 2606:4700::6810:654b:443...
            * TCP_NODELAY set
            * Connected to data.phishtank.com (2606:4700::6810:654b) port 443 (#0)
            * ALPN, offering h2
            * ALPN, offering http/1.1
            * Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
            * successfully set certificate verify locations:
            *   CAfile: /usr/local/share/certs/ca-root-nss.crt
              CApath: none
            * TLSv1.2 (OUT), TLS header, Certificate Status (22):
            * TLSv1.2 (OUT), TLS handshake, Client hello (1):
            * TLSv1.2 (IN), TLS handshake, Server hello (2):
            * TLSv1.2 (IN), TLS handshake, Certificate (11):
            * TLSv1.2 (IN), TLS handshake, Server key exchange (12):
            * TLSv1.2 (IN), TLS handshake, Server finished (14):
            * TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
            * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
            * TLSv1.2 (OUT), TLS handshake, Finished (20):
            * TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
            * TLSv1.2 (IN), TLS handshake, Finished (20):
            * SSL connection using TLSv1.2 / ECDHE-ECDSA-AES128-GCM-SHA256
            * ALPN, server accepted to use h2
            * Server certificate:
            *  subject: C=US; ST=CA; L=San Francisco; O=Cloudflare, Inc.; CN=sni.cloudflaressl.com
            *  start date: Aug 17 00:00:00 2020 GMT
            *  expire date: Aug 17 12:00:00 2021 GMT
            *  subjectAltName: host "data.phishtank.com" matched cert's "*.phishtank.com"
            *  issuer: C=US; O=Cloudflare, Inc.; CN=Cloudflare Inc ECC CA-3
            *  SSL certificate verify ok.
            * Using HTTP2, server supports multi-use
            * Connection state changed (HTTP/2 confirmed)
            * Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
            * Using Stream ID: 1 (easy handle 0x803aba800)
            > GET /data/<api-key>/online-valid.csv.bz2 HTTP/2
            > Host: data.phishtank.com
            > user-agent: curl/7.68.0
            > accept: */*
            >
            * Connection state changed (MAX_CONCURRENT_STREAMS == 256)!
            < HTTP/2 302
            < date: Sat, 21 Nov 2020 15:14:17 GMT
            < content-type: text/html; charset=UTF-8
            < set-cookie: __cfduid=db5c57b87a118488312b7047180d6f9101605971657; expires=Mon, 21-Dec-20 15:14:17 GMT; path=/; domain=.phishtank.com; HttpOnly; SameSite=Lax; Secure
            < x-request-limit-interval: 10800 Seconds
            < x-request-limit: 12
            < x-request-count: 1
            < location: https://d1750zhbc38ec0.cloudfront.net/datadumps/verified_online.csv.bz2?Expires=1605971667&Signature=iUZaI4nsb9LNji0tMhiEsrZW9fryn751OzXVP ... ETC, ETC.
            < cf-cache-status: DYNAMIC
            < cf-request-id: 068cf7dc0900007f68c79e9000000001
            < expect-ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
            < strict-transport-security: max-age=15552000
            < server: cloudflare
            < cf-ray: 5f5b5c0cd90f7f68-ORD
            <
            * Connection #0 to host data.phishtank.com left intact
            
            

            Peder

            MAIN - pfSense+ 24.11-RELEASE - Adlink MXE-5401, i7, 16 GB RAM, 64 GB SSD. 500 GB HDD for SyslogNG
            BACKUP - pfSense+ 23.01-RELEASE - Hyper-V Virtual Machine, Gen 1, 2 v-CPUs, 3 GB RAM, 8GB VHDX (Dynamic)

            R 1 Reply Last reply Reply Quote 0
            • R
              revengineer @provels
              last edited by

              @provels This looks similar to my output. And after this you have a file called online-valid.csv.bz2 in the directory you called the command from?

              1 Reply Last reply Reply Quote 0
              • provelsP
                provels
                last edited by provels

                @revengineer said in Phishtank list download fail:

                online-valid.csv.bz2

                Well, um, no. Ran from /root, not there. Searched the tree, too. But like I said, worked OK using HTTPS from Force and Cron within pfB. Does curl actually do a GET? I'm no command line expert.
                7e991e52-7890-46de-b346-e50d8335169a-image.png

                Peder

                MAIN - pfSense+ 24.11-RELEASE - Adlink MXE-5401, i7, 16 GB RAM, 64 GB SSD. 500 GB HDD for SyslogNG
                BACKUP - pfSense+ 23.01-RELEASE - Hyper-V Virtual Machine, Gen 1, 2 v-CPUs, 3 GB RAM, 8GB VHDX (Dynamic)

                R 1 Reply Last reply Reply Quote 0
                • R
                  revengineer @provels
                  last edited by

                  @provels I tried one more time using API key, https, and .bz2 ending and it's just not working. The log is below. A google search for "cloudflare 403 error" yields upwards of half a million hits, and the solution may be somewhere in there. I sent email to PhishTank but do not expect a response. Beyond that this seems like a waste of time to pursue as it seems to be specific to me.

                   CRON  PROCESS  START [ 11/21/20 13:44:12 ]
                  [ BD_IPs ]
                    Remote timestamp: Sat, 21 Nov 2020 18:32:31 GMT
                    Local  timestamp: Sat, 21 Nov 2020 17:32:30 GMT	Update found
                  [ FireHOL3_IPs ]
                    Remote timestamp: Sat, 21 Nov 2020 18:33:37 GMT
                    Local  timestamp: Sat, 21 Nov 2020 17:18:10 GMT	Update found
                  [ PhishTank ]
                  			Previous download failed.	Re-attempt download
                   UPDATE PROCESS START [ 11/21/20 13:44:14 ]
                  
                  ===[  DNSBL Process  ]================================================
                  
                  [ EasyList ]		 exists.
                  [ EasyPrivacy ]		 exists.
                  [ Adaway ]		 exists.
                  [ Cameleon ]		 exists.
                  [ yoyo ]		 exists.
                  [ MDS ]			 exists.
                  [ MDL ]			 Downloading update .. 200 OK
                   No Domains Found
                  
                  [ URLhaus ]		 exists.
                  [ OpenPhish ]		 exists. [ 11/21/20 13:44:15 ]
                  [ PhishingArmy ]	 exists.
                  [ PhishTank ]		 Downloading update .. 403 Forbidden
                  
                   [ DNSBL_Phishing - PhishTank ] Download FAIL
                    Firewall and/or IDS are not blocking download.
                  
                  [ oisd ]		 exists.
                  [ DNSBL_IP ]		 Updating aliastable [ 11/21/20 13:44:20 ]... 
                    no changes.
                    Total IP count = 307378
                  
                  
                  ===[  Continent Process  ]============================================
                  
                  [ pfB_Top_v4 ]		 exists. [ 11/21/20 13:44:21 ]
                  [ pfB_Top_v6 ]		 exists.
                  
                  ===[  IPv4 Process  ]=================================================
                  
                  [ BD_IPs ]		 Downloading update .. 200 OK. completed ..
                  
                    Reputation (Max=5) - Range(s)
                  182.138.158.|192.241.218.|192.241.219.|192.241.233.|192.241.234.|192.241.235.|192.241.236.|192.241.237.|192.241.238.|192.241.239.|124.235.138.|124.227.31.|196.52.43.|167.248.133.|92.118.161.|162.243.128.|87.251.70.|221.13.12.|81.161.63.|192.35.168.|170.130.187.|74.120.14.|185.202.1.|185.202.2.|104.140.188.|104.206.128.|102.165.30.|162.142.125.|
                  
                    Reputation -Max Stats
                    ------------------------------
                    Blacklisted     Match     
                    Ranges IPs      Ranges   IPs     
                    ------------------------------
                    28     290      0        0       
                  
                  
                  [ ET_Block_IPs ]	 exists.
                  [ ET_Comp_IPs ]		 exists.
                  [ FireHOL3_IPs ]	 Downloading update .. 200 OK. completed ..
                  
                    Reputation (Max=5) - Range(s)
                  124.156.50.|124.156.54.|124.156.55.|124.156.62.|124.156.64.|118.186.203.|194.187.19.|42.247.5.|59.177.77.|59.177.78.|59.177.79.|92.118.160.|92.118.161.|59.99.40.|23.129.64.|193.32.8.|49.51.160.|49.51.161.|170.130.187.|178.72.68.|178.72.69.|178.72.70.|178.72.71.|91.240.243.|199.195.251.|184.105.247.|103.52.216.|103.52.217.|164.52.24.|178.17.170.|89.33.193.|162.62.17.|162.62.26.|192.241.208.|5.45.207.|192.241.211.|192.241.212.|192.241.213.|192.241.214.|192.241.215.|192.241.216.|192.241.217.|192.241.218.|192.241.219.|192.241.220.|192.241.221.|192.241.222.|192.241.231.|192.241.232.|192.241.233.|192.241.236.|192.241.238.|37.9.13.|203.243.10.|121.169.34.|107.6.162.|107.6.168.|178.174.136.|178.174.137.|114.122.101.|114.122.107.|209.17.96.|209.17.97.|124.156.240.|124.156.241.|124.156.245.|45.113.70.|45.113.71.|185.191.171.|197.5.145.|49.51.8.|49.51.9.|170.106.36.|170.106.37.|170.106.38.|94.180.24.|94.180.25.|94.180.28.|170.106.76.|170.106.81.|89.46.223.|45.148.10.|192.35.168.|185.202.1.|178.175.132.|125.64.103.|200.73.128.|200.73.129.|104.206.128.|202.164.139.|102.165.30.|147.92.153.|109.188.125.|109.188.126.|65.49.20.|182.140.235.|202.114.176.|113.141.70.|213.180.203.|195.154.122.|195.154.123.|124.205.84.|192.42.116.|74.82.47.|121.147.227.|206.189.223.|114.119.128.|185.100.87.|114.119.135.|114.119.137.|114.119.158.|167.160.184.|176.212.104.|176.212.108.|87.236.208.|121.178.247.|199.249.230.|194.87.138.|91.192.103.|45.140.17.|150.109.167.|150.109.170.|150.109.180.|150.109.181.|150.109.182.|49.51.12.|162.247.74.|109.70.100.|58.216.176.|185.220.101.|185.220.102.|95.163.255.|218.89.77.|121.149.104.|172.172.26.|176.214.44.|172.172.30.|80.94.93.|192.99.175.|74.120.14.|104.140.188.|198.143.175.|13.66.139.|5.255.231.|162.142.125.|
                  
                    Reputation -Max Stats
                    ------------------------------
                    Blacklisted     Match     
                    Ranges IPs      Ranges   IPs     
                    ------------------------------
                    145    1687     1        0       
                  
                  
                  
                  ===[  IPv6 Process  ]=================================================
                  
                  
                  ===[ Reputation - pMax ]======================================
                  
                    Querying for repeat offenders ( pMax=50 ) [ 11/21/20 13:44:23 ]
                    Reputation -pMax ( None )
                  
                  ===[ Reputation - dMax ]======================================
                  
                    Querying for repeat offenders ( dMax=5 ) [ 11/21/20 13:44:23 ]
                    Classifying repeat offenders by GeoIP
                    Processing [ Block ] IPs
                    Removing   [ Block ] IPs
                  
                    Removed the following IP ranges:
                  171.25.193.|216.83.57.|185.234.219.|164.52.24.|59.46.13.|193.169.252.|61.177.172.|222.192.88.|91.241.19.|184.105.247.|218.92.0.|192.241.209.|192.241.210.|192.241.215.|84.38.187.|205.185.127.|5.188.206.|45.87.43.|202.165.22.|213.202.233.|68.183.231.|2.57.122.|206.189.171.|209.141.54.|112.85.42.|118.244.128.|180.215.215.|
                  
                    Reputation - dMax Stats
                    ------------------------------
                    Blacklisted     Match     
                    Ranges IPs      Ranges   IPs     
                    ------------------------------
                    27     25       1        0       
                  
                  
                  ===[  Aliastables / Rules  ]==========================================
                  
                  No changes to Firewall rules, skipping Filter Reload
                  
                   Updating: pfB_Top_v4
                  no changes.
                   Updating: pfB_Top_v6
                  no changes.
                   Updating: pfB_BinaryDefense
                  30 addresses added.37 addresses deleted.
                   Updating: pfB_EmergingThreatsDShield
                  2 addresses added.3 addresses deleted.
                   Updating: pfB_FireHOL3
                  10405 addresses added.57 addresses deleted.
                  
                  ===[ FINAL Processing ]=====================================
                  
                     [ Original IP count   ]  [ 64441 ]
                  
                  ===[ Deny List IP Counts ]===========================
                  
                     62227 total
                     22166 /var/db/pfblockerng/deny/FireHOL3_IPs.txt
                     19038 /var/db/pfblockerng/deny/pfB_Top_v4.txt
                      6944 /var/db/pfblockerng/deny/pfB_Top_v6.txt
                      6413 /var/db/pfblockerng/deny/ET_Comp_IPs.txt
                      5310 /var/db/pfblockerng/deny/BD_IPs.txt
                      2356 /var/db/pfblockerng/deny/ET_Block_IPs.txt
                  
                  ===[ DNSBL Domain/IP Counts ] ===================================
                  
                    849719 total
                    378541 /var/db/pfblockerng/dnsbl/oisd.txt
                    307327 /var/db/pfblockerng/dnsbl/URLhaus.ip
                     91552 /var/db/pfblockerng/dnsbl/URLhaus.txt
                     25637 /var/db/pfblockerng/dnsbl/MDS.txt
                     17223 /var/db/pfblockerng/dnsbl/EasyList.txt
                     11980 /var/db/pfblockerng/dnsbl/PhishingArmy.txt
                      6712 /var/db/pfblockerng/dnsbl/Cameleon.txt
                      4093 /var/db/pfblockerng/dnsbl/EasyPrivacy.txt
                      2901 /var/db/pfblockerng/dnsbl/OpenPhish.txt
                      2003 /var/db/pfblockerng/dnsbl/Adaway.txt
                      1699 /var/db/pfblockerng/dnsbl/yoyo.txt
                        21 /var/db/pfblockerng/dnsbl/OpenPhish.ip
                        20 /var/db/pfblockerng/dnsbl/EasyList.ip
                        10 /var/db/pfblockerng/dnsbl/EasyPrivacy.ip
                         0 /var/db/pfblockerng/dnsbl/PhishTank.fail
                  
                  ====================[ Last Updated List Summary ]==============
                  
                  Nov 20	00:30	ET_Block_IPs
                  Nov 20	00:30	ET_Comp_IPs
                  Nov 21	09:00	pfB_Top_v4
                  Nov 21	09:00	pfB_Top_v6
                  Nov 21	13:32	BD_IPs
                  Nov 21	13:33	FireHOL3_IPs
                  
                  IPv4 alias tables IP count
                  -----------------------------
                  362661
                  
                  IPv6 alias tables IP count
                  -----------------------------
                  6944
                  
                  Alias table IP Counts
                  -----------------------------
                    369605 total
                    307378 /var/db/aliastables/pfB_DNSBLIP.txt
                     22166 /var/db/aliastables/pfB_FireHOL3.txt
                     19038 /var/db/aliastables/pfB_Top_v4.txt
                      8769 /var/db/aliastables/pfB_EmergingThreatsDShield.txt
                      6944 /var/db/aliastables/pfB_Top_v6.txt
                      5310 /var/db/aliastables/pfB_BinaryDefense.txt
                  
                  pfSense Table Stats
                  -------------------
                  table-entries hard limit  2000000
                  Table Usage Count         486768
                  
                   UPDATE PROCESS ENDED [ 11/21/20 13:44:27 ]
                  
                  
                  provelsP 1 Reply Last reply Reply Quote 0
                  • provelsP
                    provels @revengineer
                    last edited by

                    @revengineer
                    Yeah, short of a typo on the URL line or a mistake in the API key, that's all I have. Sorry.

                    Peder

                    MAIN - pfSense+ 24.11-RELEASE - Adlink MXE-5401, i7, 16 GB RAM, 64 GB SSD. 500 GB HDD for SyslogNG
                    BACKUP - pfSense+ 23.01-RELEASE - Hyper-V Virtual Machine, Gen 1, 2 v-CPUs, 3 GB RAM, 8GB VHDX (Dynamic)

                    R 1 Reply Last reply Reply Quote 0
                    • R
                      revengineer @provels
                      last edited by

                      @provels No worries, I thank you for your time to help me chase this down as far as we could.

                      There is one more question: Which version of pfBockerNG are you using? The devel version, or the older one. I still use the older (non-devel) version and that could be a difference.

                      provelsP 1 Reply Last reply Reply Quote 0
                      • provelsP
                        provels @revengineer
                        last edited by

                        @revengineer
                        I've only used the devel. Never had issues (at least not self-inflicted).

                        Peder

                        MAIN - pfSense+ 24.11-RELEASE - Adlink MXE-5401, i7, 16 GB RAM, 64 GB SSD. 500 GB HDD for SyslogNG
                        BACKUP - pfSense+ 23.01-RELEASE - Hyper-V Virtual Machine, Gen 1, 2 v-CPUs, 3 GB RAM, 8GB VHDX (Dynamic)

                        R 1 Reply Last reply Reply Quote 0
                        • R
                          revengineer @provels
                          last edited by

                          @provels Thanks, I may update the version. I know that the author recommends the devel version for a long time, but for me this always sounded too much like "beta". Cheers!

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.