Strikeback with iplog and nmap
-
just installed this on 2.0 final
not working, I think iplog is missing
Nov 1 13:58:08 php: /packages/strikeback/strikeback.php: The command '/usr/local/etc/rc.d/iplog start' returned exit code '127', the output was '/usr/local/etc/rc.d/iplog: not found'
Nov 1 13:58:08 php: /packages/strikeback/strikeback.php: The command 'rm /usr/local/etc/rc.d/iplog-e' returned exit code '1', the output was 'rm: /usr/local/etc/rc.d/iplog-e: No such file or directory'
Nov 1 13:58:08 php: /packages/strikeback/strikeback.php: The command '/usr/bin/sed -i -e 's/iplog_enable="NO"/iplog_enable="YES"/g' /usr/local/etc/rc.d/iplog' returned exit code '1', the output was 'sed: /usr/local/etc/rc.d/iplog: No such file or directory'also tryed pkg_add -r iplog
Error: Unable to get ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-8.1-release/Latest/iplog.tbz: File unavailable (e.g., file not found, no access)
< typo forum, it add http:// but for real it doesnt …
packages-8.1-release doesnt exist anymore
-
you can find 8-1 packages here
ftp-archive.freebsd.org/pub/FreeBSD-Archive/old-releases/i386/8.1-RELEASE/packages/All/
-
So if I spoofed my IP address during scanning to say be some military or government IP I can have you port scanning away in "response"? I am sure they would like that. Portscan detections are also notoriously unreliable as they are prone to false positive events.
I think detection is fine and then silently blocking if so desired but no revenge strikes. What would you do after port scanning someone? Go hunting for vulnerabilities to take your revenge on them? I think snort's sfportscan preprocessor may be better for detection. All it does it:
a) leaves you open to manipulation to portscan sensitive places in response
b) reveals yourself to the attacker (unlike a nice silent drop)
c) If it was a hacker (script kiddies get detected would perhaps be caught by this, pros no) and they saw you portscanning them they may be encouraged to seek revenge. -
I'm away on business right now. When I return I will take some time to update the package.
-
Hi There,
I have a kind of similar issue. I'm running the latest PFsense 2.0 official release on an ALIX board. I have succesfully intalled STRIKEBACK package. As recommended, I went to Strikeback SETTINGS tab and clicked on SAVE, resulting in an updated /usr/local/etc/iplog.conf file. Then I go to LOG VIEWER tab and enable StrikeBack then click on SAVE. The System Logs reveal the following:
Nov 15 10:35:13 php: /packages/strikeback/strikeback.php: The command '/usr/bin/sed -i -e 's/iplog_enable="NO"/iplog_enable="YES"/g' /usr/local/etc/rc.d/iplog' returned exit code '1', the output was 'sed: /usr/local/etc/rc.d/iplog: No such file or directory'
Nov 15 10:35:13 php: /packages/strikeback/strikeback.php: The command 'rm /usr/local/etc/rc.d/iplog-e' returned exit code '1', the output was 'rm: /usr/local/etc/rc.d/iplog-e: No such file or directory'
Nov 15 10:35:13 php: /packages/strikeback/strikeback.php: The command '/usr/local/etc/rc.d/iplog start' returned exit code '127', the output was '/usr/local/etc/rc.d/iplog: not found'I'm stuck in figuring out how to even figure out weither or not iplog is indeed installed ???
Any help greatly appreciated. Thanks in advance :)
-
Hi There,
I have a kind of similar issue. I'm running the latest PFsense 2.0 official release on an ALIX board. I have succesfully intalled STRIKEBACK package. As recommended, I went to Strikeback SETTINGS tab and clicked on SAVE, resulting in an updated /usr/local/etc/iplog.conf file. Then I go to LOG VIEWER tab and enable StrikeBack then click on SAVE. The System Logs reveal the following:
Nov 15 10:35:13 php: /packages/strikeback/strikeback.php: The command '/usr/bin/sed -i -e 's/iplog_enable="NO"/iplog_enable="YES"/g' /usr/local/etc/rc.d/iplog' returned exit code '1', the output was 'sed: /usr/local/etc/rc.d/iplog: No such file or directory'
Nov 15 10:35:13 php: /packages/strikeback/strikeback.php: The command 'rm /usr/local/etc/rc.d/iplog-e' returned exit code '1', the output was 'rm: /usr/local/etc/rc.d/iplog-e: No such file or directory'
Nov 15 10:35:13 php: /packages/strikeback/strikeback.php: The command '/usr/local/etc/rc.d/iplog start' returned exit code '127', the output was '/usr/local/etc/rc.d/iplog: not found'I'm stuck in figuring out how to even figure out weither or not iplog is indeed installed ???
Any help greatly appreciated. Thanks in advance :)
It appears if the iplog binary did not get installed. Run pkg_add -r iplog to install it.
-
Tom, many thanks for the very fast reply. Unfortunately, I did try this last trick already, as I had read through the forum. This results in the following error message:
Error: Unable to get ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-8.1-release/Latest/iplog.tbz: File unavailable (e.g., file not found, no access)
pkg_add: unable to fetch 'ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-8.1-release/Latest/iplog.tbz' by URL:-(
-
You have to change an environment variable to use pkg_add -r or you can add it directly via URL.
Try```
pkg_add -r ftp://ftp.freebsd.org/pub/FreeBSD/ports/i386/packages-8-stable/Latest/iplog.tbz -
Does nmap have some sort of conf file that tells it what interface to use. I can scan the local network from within pfsense nmap ui.
Nov 16 09:58:59 php: /packages/strikeback/strikeback.php: The command '/usr/local/bin/nmap -oX /usr/local/www/packages/strikeback/reports/58.104.179.126.xml -vv -sS -sU -sY -O 58.104.179.126' returned exit code '1', the output was ' Starting Nmap 5.51 ( http://nmap.org ) at 2011-11-16 09:58 EST WARNING: Unable to find appropriate interface for system route to 10.20.21.36 WARNING: Unable to find appropriate interface for system route to 10.20.21.36 WARNING: Unable to find appropriate interface for system route to 10.20.21.36 nexthost: failed to determine route to 58.104.179.126 QUITTING!' Nov 16 09:58:59 php: /packages/strikeback/strikeback.php: The command 'mkdir /usr/local/www/packages/strikeback/reports' returned exit code '1', the output was 'mkdir: /usr/local/www/packages/strikeback/reports: File exists'And get this same error from Nmap within the shell
[2.0-RELEASE][root@pfsense.domain.local]/root(2): nmap -v -sn 58.104.179.126 Starting Nmap 5.51 ( http://nmap.org ) at 2011-11-16 10:19 EST WARNING: Unable to find appropriate interface for system route to 10.20.21.36I tried adding the -e switch with the wan interface but I still am getting the same error.
-
Many thanks Tom, that does the trick indeed :-)
-
Seems that in an hour, strikeback has seen hundreds of scans and probes.
But they're all coming from my LAN. Strikeback needs a "listen on interface _____" option to make it listen only on the outside interfaces.
-
Seems that in an hour, strikeback has seen hundreds of scans and probes.
It's a heck of a tool. I tested it for 1 minute last night and received 4300 entries.
IPLog gave lots of useful detail but I needed to reduce the noise.
Most data was Unbound initiated DNS traffic.
Apr 12 10:06:41 UDP: dgram to port 59305 from b.gov-servers.net (209.112.123.30):53 (514 data bytes) Apr 12 10:06:41 UDP: dgram to port 21314 from a.gov-servers.net (69.36.157.30):53 (514 data bytes) Apr 12 10:06:41 UDP: dgram to port 48480 from ns2.nasa.gov (198.116.4.185):53 (455 data bytes) Apr 12 10:06:41 UDP: dgram to port 26425 from ns1.nasa.gov (198.116.4.189):53 (811 data bytes) Apr 12 10:06:41 UDP: dgram to port 62907 from ns3.nasa.gov (198.116.4.181):53 (451 data bytes)I was confused because I had checked the Ignore DNS option
The problem was that I had left one of the Settings-> Ignore DNS Server boxes empty.
I populated all three w/ 0.0.0.0 and that filtered out DNS.To get rid of LAN, Torrent and VoIP chatter; I added```
ignore tcp from 192.168.1.0/24
ignore udp from 192.168.1.0/24
ignore udp dport 5000:65535**Note:** I found that saving a change under the Settings tab, rewrites /usr/local/etc/iplog.conf and wipes my custom entries. -
First:
I really like that the conf file (/usr/local/etc/iplog.conf) is noted in the Settings tab.
It's a small thing but a big help.Second:
If the time comes to refine Strikeback a bit more, would you consider the following suggestions?Adding the Save and Clear Log buttons to the top of the Log Viewer page.
(I discovered that I can rack up thousands of log items quickly and would have to dive after the buttons.)Suggestion #2 - Option to reverse log entries.
Suggestion #3 - Option to auto-refresh the Log Viewer page.That aside, Strikeback is already a big help. Thank you for your time and your ingenuity in dev'ing it.
-
I've been having a couple of the same bugs, I saw earlier in the thread.
I may have debugged this one.
php: /packages/strikeback/strikeback.php: The command 'mkdir /var/run/iplog' returned exit code '1', the output was 'mkdir: /var/run/iplog: File exists'I commented out line 170 in /packages/strikeback/strikeback.php so the code now reads like this:
if(isset($_POST['formSubmit'])) { // mwexec("mkdir /var/run/iplog"); mwexec("rm /var/log/iplog"); mwexec("touch /var/log/iplog"); mwexec("/usr/local/etc/rc.d/iplog restart");I haven't seen the error since.
. -
Change the code this way to keep creating the folder if does not exists:
if(isset($_POST['formSubmit'])) { if (!is_dir('/var/run/iplog')) mkdir("/var/run/iplog", 0700, true); mwexec("rm /var/log/iplog"); mwexec("touch /var/log/iplog"); mwexec("/usr/local/etc/rc.d/iplog restart"); -
I will do that.
Your timing is good (for me anyway) - I have an almost identical problem here.
This error occurs when I try to launch a strikeback from the provided link.
php: /packages/strikeback/strikeback.php: The command 'mkdir /usr/local/www/packages/strikeback/reports' returned exit code '1', the output was 'mkdir: /usr/local/www/packages/strikeback/reports: File exists'I'm looking at the statement that begins on line 59 of /usr/local/www/packages/strikeback/strikeback.php
if(isset($_GET[target])) { mwexec("mkdir /usr/local/www/packages/strikeback/reports"); //mwexec("/usr/local/bin/nmap -oX /usr/local/www/packages/strikeback/reports/".$_GET[target].".xml -vvsS -sU -sY -O ".$_GET[target]."> /dev/null 2>&1 &"); mwexec("/usr/local/bin/nmap -oX /usr/local/www/packages/strikeback/reports/".$_GET[target].".xml -vv -sS -sU -sY -O ".$_GET[target]); echo " \n"; }I don't think it's checking for the existence of /usr/local/www/packages/strikeback/reports/ prior to the mkdir command.
So I nested a 2nd statement to folder check and that error seems to have gone.
if(isset($_GET[target])) { if (file_exists("/usr/local/www/packages/strikeback/reports")){ } else { mwexec("mkdir /usr/local/www/packages/strikeback/reports"); } //mwexec("/usr/local/bin/nmap -oX /usr/local/www/packages/strikeback/reports/".$_GET[target].".xml -vvsS -sU -sY -O ".$_GET[target]."> /dev/null 2>&1 &"); mwexec("/usr/local/bin/nmap -oX /usr/local/www/packages/strikeback/reports/".$_GET[target].".xml -vv -sS -sU -sY -O ".$_GET[target]); echo " \n"; }But your code sample may work here as well. I need to look it over a moment.
-
Is this pakage working or not?
Shows version 0.1 Beta in pfsense and 1.0 Beta here ?
What version is it now and is there a change log ?
-
This was asked a couple of times last year but I don't think anyone knew the answer.
Did anyone attempt to port Strikeback over to AMD64?
Could there be a beta ver stashed away that we could git to? -
I still have plans to complete this project. Work/School just is the priority right now.
-
This was asked a couple of times last year but I don't think anyone knew the answer.
Did anyone attempt to port Strikeback over to AMD64?
Could there be a beta ver stashed away that we could git to?I've been waiting on the answer to that also, see several attempts at asking and no answer…
