Logging my daily changing WAN-address

fireodo

@stephenw10

Hi,

in case of using if_pppoe (in pfsense 2.8.0) what file would have to be edited and attach these lines

cat /tmp/pppoe0_ip >> /root/iplog/iplog.log
date >> /root/iplog/iplog.log

for having the WAN-IP get logged? (the /usr/local/sbin/ppp-linkup is not used anymore)

Thanks and nice sunday,
fireodo

stephenw10

You could probably add something to pppoe-handler. But that's PHP not a shell script.

fireodo

@stephenw10 said in [solved] Easy solution for logging my daily changing WAN-address:

You could probably add something to pppoe-handler. But that's PHP not a shell script.

Thanks - I'm not a PHP guru - do you have a "code" example?

stephenw10

Ha, I thought you might ask that and...nope not off hand. I'm no php guru either!

But if you're just logging the IP it's probably a one liner....

Bob.Dig

Maybe @Gertjan knows how to do it and can give detailed instructions how to do it for a noob like me.

Gertjan

@fireodo said in [solved] Easy solution for logging my daily changing WAN-address:

cat /tmp/pppoe0_ip >> /root/iplog/iplog.log

Doesn't exist anymore ?
I'm not using 2.7.2 or 2.8.0, - not using the pppoe or the new pppoe.

fireodo

@Gertjan said in [solved] Easy solution for logging my daily changing WAN-address:

Doesn't exist anymore ?

This (you mentioned) still exist but the executable /usr/local/sbin/ppp-linkup, is not used with the if_pppoe, so the lines that where attached at this file:

cat /tmp/pppoe0_ip >> /root/iplog/iplog.log
date >> /root/iplog/iplog.log

doesn't function anymore. stephenw10 suggest to modify the /usr/local/sbin/pppoe-handler file but I'm not familiar with PHP ;-)

Bob.Dig

@Gertjan said in [solved] Easy solution for logging my daily changing WAN-address:

Doesn't exist anymore

Or how to do it with the DDNS-thingy.

fireodo

@stephenw10 said in [solved] Easy solution for logging my daily changing WAN-address:

But if you're just logging the IP it's probably a one liner....

I will look, until I find a solution I stay with mpd as all the time before 2.8.0 ... :-)

fireodo

Hi,

i found a solution everybody interested is invited to try :-)

I made a shell script file called "logip" with following content:

#!/bin/sh

# IP-Logging
cat /tmp/pppoe0_ip >> /root/iplog/iplog.log
date >> /root/iplog/iplog.log

and placed in "/root/bin/" and made it executable.

After that I modified (attention - this is a original pfsense file!!!) the file "/etc/rc.newwanip" attaching at the end (before the "?>" this line of code:

shell_exec('/root/bin/logip');

The rc.newwanip is executed each time the system gets a new WAN IP so it should work. (I tested here and it works).
The "bad" thing is that the "rc.newwanip" has to be edited each time the system gets an upgrade/update ...
If someone gets a more "elegant" solution I'am open to it :-)

Regards,
fireodo

stephenw10

You could create a patch that adds that line to rc.newwanip and set it to auto-apply.

fireodo

@stephenw10 said in [somewhat solved] Easy solution for logging my daily changing WAN-address:

You could create a patch that adds that line to rc.newwanip and set it to auto-apply.

Yes that would be an option!

But now I found a new "problem": Snort cannot handle the pppoe0 interface (with if_pppoe) and exits with this error:
"FATAL ERROR: Cannot decode data link type 51"
so there is more work to do I switched back to "mpd" because i need Snort working ...

stephenw10

Hmm, using in-line mode?

fireodo

@stephenw10 said in [somewhat solved] Easy solution for logging my daily changing WAN-address:

Hmm, using in-line mode?

No, legacy mode ...

stephenw10

OK digging....

fireodo

@stephenw10 said in [somewhat solved] Easy solution for logging my daily changing WAN-address:

OK digging....

I have post a question also in IDS/IPS adressed to Bill Meeks

stephenw10

Yup replicated it here. Digging deeper...

bmeeks

@stephenw10 said in Logging my daily changing WAN-address:

Yup replicated it here. Digging deeper...

The problem is within the Snort binary package. The new if_pppoe driver apparently returns a datalink type of DLT_PPP_ETHER (which is integer code '51'). But the Snort C source code is only looking for DLT_PPP (which is integer code '9'). Because the switch...case logic does not match on DLT_PPP_ETHER, the default statement at line 3257 prevails and Snort executes a fatal error and terminates.

The code in question is within snort.c beginning at line 3118. Here is the module source code:

/*
 * Function: SetPktProcessor()
 *
 * Purpose:  Set root decoder based on datalink
 */
// TBD add GetDecoder(dlt) to decode module and hide all
// protocol decoder functions.
static int SetPktProcessor(void)
{
    const char* slink = NULL;
    const char* extra = NULL;
    int dlt = DAQ_GetBaseProtocol();

    switch ( dlt )
    {
        case DLT_EN10MB:
            slink = "Ethernet";
            grinder = DecodeEthPkt;
            break;

#ifdef DLT_LOOP
        case DLT_LOOP:
#endif
        case DLT_NULL:
            /* loopback and stuff.. you wouldn't perform intrusion detection
             * on it, but it's ok for testing. */
            slink = "LoopBack";
            extra = "Data link layer header parsing for this network type "
                    "isn't implemented yet";
            grinder = DecodeNullPkt;
            break;

        case DLT_RAW:
        case DLT_IPV4:
            slink = "Raw IP4";
            extra = "There's no second layer header available for this datalink";
            grinder = DecodeRawPkt;
            break;

        case DLT_IPV6:
            slink = "Raw IP6";
            extra = "There's no second layer header available for this datalink";
            grinder = DecodeRawPkt6;
            break;

#ifdef DLT_I4L_IP
        case DLT_I4L_IP:
            slink = "I4L-ip";
            grinder = DecodeEthPkt;
            break;
#endif

#ifndef NO_NON_ETHER_DECODER
#ifdef DLT_I4L_CISCOHDLC
        case DLT_I4L_CISCOHDLC:
            slink = "I4L-cisco-h";
            grinder = DecodeI4LCiscoIPPkt;
            break;
#endif

        case DLT_PPP:
            slink = "PPP";
            extra = "Second layer header parsing for this datalink "
                    "isn't implemented yet";
            grinder = DecodePppPkt;
            break;

#ifdef DLT_I4L_RAWIP
        case DLT_I4L_RAWIP:
            // you need the I4L modified version of libpcap to get this stuff
            // working
            slink = "I4L-rawip";
            grinder = DecodeI4LRawIPPkt;
            break;
#endif

#ifdef DLT_IEEE802_11
        case DLT_IEEE802_11:
            slink = "IEEE 802.11";
            grinder = DecodeIEEE80211Pkt;
            break;
#endif
#ifdef DLT_ENC
        case DLT_ENC:
            slink = "Encapsulated data";
            grinder = DecodeEncPkt;
            break;

#else
        case 13:
#endif /* DLT_ENC */
        case DLT_IEEE802:
            slink = "Token Ring";
            grinder = DecodeTRPkt;
            break;

        case DLT_FDDI:
            slink = "FDDI";
            grinder = DecodeFDDIPkt;
            break;

#ifdef DLT_CHDLC
        case DLT_CHDLC:
            slink = "Cisco HDLC";
            grinder = DecodeChdlcPkt;
            break;
#endif

        case DLT_SLIP:
            slink = "SLIP";
            extra = "Second layer header parsing for this datalink "
                    "isn't implemented yet\n";
            grinder = DecodeSlipPkt;
            break;

#ifdef DLT_PPP_SERIAL
        case DLT_PPP_SERIAL:         /* PPP with full HDLC header*/
            slink = "PPP Serial";
            extra = "Second layer header parsing for this datalink "
                    " isn't implemented yet";
            grinder = DecodePppSerialPkt;
            break;
#endif

#ifdef DLT_LINUX_SLL
        case DLT_LINUX_SLL:
            slink = "Linux SLL";
            grinder = DecodeLinuxSLLPkt;
            break;
#endif

#ifdef DLT_PFLOG
        case DLT_PFLOG:
            slink = "OpenBSD PF log";
            grinder = DecodePflog;
            break;
#endif

#ifdef DLT_OLDPFLOG
        case DLT_OLDPFLOG:
            slink = "Old OpenBSD PF log";
            grinder = DecodeOldPflog;
            break;
#endif
#endif  // NO_NON_ETHER_DECODER

        default:
            /* oops, don't know how to handle this one */
            FatalError("Cannot decode data link type %d\n", dlt);
            break;
    }

    if ( !ScReadMode() || ScPcapShow() )
    {
        LogMessage("Decoding %s\n", slink);
    }
    if (extra && ScOutputDataLink())
    {
        LogMessage("%s\n", extra);
        snort_conf->output_flags &= ~OUTPUT_FLAG__SHOW_DATA_LINK;
    }
#ifdef ACTIVE_RESPONSE
    Encode_Init();
#endif
    return 0;
}

The fix might be as simple as adding this additional code to the switch...case test, but that assumes the raw PPP data is exactly same between the old mpd driver and the new if_pppoe driver:

case DLT_PPP_ETHER:
           slink = "PPP";
           extra = "Second layer header parsing for this datalink "
                   "isn't implemented yet";
           grinder = DecodePppPkt;
           break;

stephenw10

Yup, that's exactly what we thought. Just waiting for a build to test....

stephenw10

Opened a bug to track: https://redmine.pfsense.org/issues/16229