PfBlocker

taryezveb

malc0de.com keeps up a realtime list of malware serving IPs addresses.

This list -> http://malc0de.com/bl/IP_Blacklist.txt will autoupdate and works in pfBlocker lists section.

More on malc0de -> http://malc0de.com/dashboard/
malc0de's searchable database -> http://malc0de.com/database/

The malware list contains the malicious IP, referenced in the following Webroot blog:
http://blog.webroot.com/2012/01/25/researchers-intercept-a-client-side-exploits-serving-malware-campaign/
That's a good sign it's kept up to date.

Thanks for the all the information you have posted.

LinuxTracker

@LinuxTracker:

malc0de.com keeps up a realtime list of malware serving IPs addresses.

This list -> http://malc0de.com/bl/IP_Blacklist.txt will autoupdate and works in pfBlocker lists section.

2nd Update: After running this for a while I noticed more unexpected site blocking.
It may only be one or two IP addresses, but it trapped a lot of outgoing packets to media servers.

I'm withholding any recommendation until I have the time to study the list - a couple of weeks.

note: The only verified contact I have for malc0de is their Twitter feed.

Thanks.

Update:
I added the lists to pfBlocker last night and found 2 unexpected site blocks.

First was web.archive.org. Malc0de's entry is here.
I guess archive.org is caching some malicious files.

Second is the IP 72.21.91.19; which is an edgecast address used for video streaming by break.com, wnd.com, brietbart, myspace and others.
A burner app from that IP was flagged for a few days, by ThreatExpert.

I whitelisted the 1st IP and sent a synopsis to the Web Archive.
I tweeted a request to Malc0de to delist the 2nd.

Meanwhile, I'll keep evaluating.

mdima

@ccb056:

Oi marcello, I got the multiple WAN interfaces working by adding a dummy rule and then starting pfblocker.

One thing I notice is when lists are added they consume RAM but when the list is removed the RAM is not returned.

Obrigado!

Hi,
I have multiple LAN interfaces (I added LAN and my DMZ). When I see the firewall rules of the WAN interface, the pfBlocker rules are present 2 times (the same rules, added two times. Rule 1, Rule 2, Rule 3, Rule 1, Rule 2, Rule 3).

Anyway, this do not affect anything, so don't worry…

Ciao,
Michele

marcelloc

@mdima:

Hi,
I have multiple LAN interfaces (I added LAN and my DMZ). When I see the firewall rules of the WAN interface, the pfBlocker rules are present 2 times (the same rules, added two times. Rule 1, Rule 2, Rule 3, Rule 1, Rule 2, Rule 3).

Anyway, this do not affect anything, so don't worry…

I'ts not fixed yet because I never could reproduce this visual issue.

You can also use alias only on action and create rules by rand.

Thanks for feedback. :)

kilthro

I had an error that has been coming up starting this week here and there.

There were error(s) loading the rules: /tmp/rules.debug:37: cannot define table pfBlockerAds: Cannot allocate memory
pfctl: Syntax error in config file: pf rules not loaded The line in question reads [37]: table <pfblockerads>persist file "/var/db/aliastables/pfBlockerAds.txt"</pfblockerads>

I got this error two times and then stopped this morning (same on Monday. it happens two times back to back and then stops). I have the lists set to update once a day, and my snort rules also update every 12 hours which causes pfblocker to reload itself when it refreshes. No other lists that i have set up are having issues (which some are way bigger than this table).

When this happened on Monday, I deleted the table and list in pfblocker. I then re entered it freshly into pfblocker and let the table repopulate. Until today I had no other errors. Do I need to increase any settings for this to go away or is this more of a problem with the info that its pulling.

I got the list from http://www.iblocklist.com/lists.php?fileformat=cidr&archiveformat=gz and the direct link to the adds one is
http://list.iblocklist.com/?list=bt_ads&fileformat=p2p&archiveformat=gz

Again, I am using other lists from this site with no issue at all. So any suggestions would be greatly appreciated.

This is running on an old dual Intel Pentium III EB 800 board with two gigs of ram. So wasn't sure if there was a limitation problem. If anyone needs additional information please let me know.

I am on the latest build of PFSENSE and pfblocker btw.

marcelloc

The first try is always to increase max_table_entries on system advanced.

Most of Cannot allocate memory errors from /tmp/rules.debug are related to this.

kilthro

@marcelloc:

The first try is always to increase max_table_entries on system advanced.

Most of Cannot allocate memory from /tmp/rules.debug are related to this.

Ok I will try that and see if that helps. I didnt want to touch anything until i asked. Its just strange, that its been fine for a couple of months with the same tables ect. Then just started happening. Then if i delete the list/table and rebuilt it was fine for a little while. I appreciate the feedback. This evening I will increase it and see if that removes the problem.

marcelloc

@kilthro:

This evening I will increase it and see if that removes the problem.

It does not affect firewall function at all, you can apply it any time.

kilthro

@marcelloc:

@kilthro:

This evening I will increase it and see if that removes the problem.

It does not affect firewall function at all, you can apply it any time.

Good to know, Thanks. I will not be back at that location until this evening. I just get email notifications when something is working right. :-)

kilthro

Well the default was set to 200k so i increased to 900k and have refreshed a few times and no more errors.. Strange how this just started happening recently with out anything else changing on the firewall/setup.

Oh well.. Thanks again for the suggestion.

tommyboy180

@kilthro:

Well the default was set to 200k so i increased to 900k and have refreshed a few times and no more errors.. Strange how this just started happening recently with out anything else changing on the firewall/setup.

Oh well.. Thanks again for the suggestion.

Any packages recently installed? What about any system restarts?

kilthro

@tommyboy180:

@kilthro:

Well the default was set to 200k so i increased to 900k and have refreshed a few times and no more errors.. Strange how this just started happening recently with out anything else changing on the firewall/setup.

Oh well.. Thanks again for the suggestion.

Any packages recently installed? What about any system restarts?

Nope nothing installed. Snort is blinking in the package widget as there is an update for that but I haven't done it yet since I typically have to reset all of the stuff back up in it when it updates.. It runs flawlessly but when I upgrade it, it always seems to flaky so I have put that off for now lol.. The system has been up for 50 days+ straight with no restarts. Honestly I have configured it, and for the most part forget about it unless I get an email stating something errors out ect.. Every now and then I may log into it to check for updates and status on things but that's not regular.

When i was increasing the amount I did tried 400k and 600k with the same error. 900k was the first where it didn't error out so that what I stuck with. This morning when everything updated I didn't get an error so it seems like that amount is ok for now.

Amarth

This has probably been covered but I could not find any info on it. There seems to be a formatting issue on the pfBlocker Dashboard Widget.

Line: 69


print "```
";

Causes the column labels to offset to the right. ie: Alias ends up over the CIDR count. I saw no closing

marcelloc

It's a missing debug cmd prior to var_dump.

If It's on 1.0.1 package version, I'll remove on next release.

vlurk

It looks like I am having the "cannot allocate memory" issue as well, running a 2.0.1 (i386) release, nanobsd 2G and pfBlocker 1.0.1. I increased the max table size, read page 21 as well but it just wouldn't cut it with my small platform.

Since I REALLY wanted to get the Bluetack's level1 blocklist, I needed to try something else and eventually found another solution…

What I did is write a simple perl script with that will read the list, and output a new CIDR list splitted into many files, actually 100,000 entries per file.

I then created a small cron job to download the list and execute the script on a linux server running Apache. Finally, I configured three different blocklists (aliases) under pfblocker (not just a big one with three URLs...). And it works! Maybe having such a mechanism (splitting big files) built into pfblocker could be useful for some.

In case someone is interested by the perl script, it looks like this:

#!/usr/bin/perl
use Net::CIDR::Lite;

my $filenum = "0" x 4; # if you ++ a string, it keeps the padding

sub new_file {
        $filenum ++;
        my $name = "splat_$filenum.lis";
        open OUT, ">$name" or die "canne open $name cap'n:$!\n";
        warn "writing to:$name\n";
}

my $cidr = Net::CIDR::Lite->new;
open (MYFILE, $ARGV[0]);
while (<myfile>) {
  chomp;
  $_ =~ /[^:]+:(.*)/;
  my $range = $1; #extracted IP Range, verify it is IPv4
  if ( $range =~ m/\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}\-\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}/i ) {
        $cidr->add_range($range);
  }
}
close (MYFILE);
my $index = 0;
my @cidr_list = $cidr->list;
foreach my $block ( @cidr_list ) {
        if ( $index % 100000 == 0 ) {
                new_file;
        }
        print OUT $block,"\n";
        $index++;
}
close (OUT);</myfile>

It receives the unzipped list in input, and will output the files in the CWD. Simple as that.

Have a nice day.

marcelloc

Good contributon. Thank you. :)

marcelloc

Just updated pfBlocker to 1.0.2 with:

Fix on array check error at line 368 when there is no alias defined on pfSense
reduce duplicate cases on automatic rules when using multiple interfaces as inbound and/or outbound
Increase php memory limit to 250Mb when x64 pfSense is detected(DO AT YOUR OWN RISK PATCH applied to code ;))
Updated country ip lists

tommyboy180

Awesome!

taryezveb

@tommyboy180:

Awesome!

+1, Thanks

vlurk

Thanks for the update: I am gonna give it a shot like right after I post this.

I noticed that my script would fail when some blocklist would include multiple colons on one line. Here is my updated script, which now accept a number of lines as the second argument.

#!/usr/bin/perl
use Net::CIDR::Lite;

my $filenum = "0" x 4; # if you ++ a string, it keeps the padding
my $limit = 100000; # default max number of lines

sub new_file {
	$filenum ++;
	my $name = "splat_$filenum.lis";
	open OUT, ">$name" or die "canne open $name cap'n:$!\n";
        warn "writing to:$name\n";
}

my $cidr = Net::CIDR::Lite->new;
open (MYFILE, $ARGV[0]);
if ( defined($ARGV[1])) {
	if ( $ARGV[1] =~  m/^\d{2,6}$/ ) {
		$limit = int($ARGV[1]);
	}
}

while (<myfile>) {
  chomp;
  my @line = split(/:+/);
  my $range = $line[-1]; #get IP Range, verify it is IPv4
  if ( $range =~ m/^\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}\-\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3}$/ ) {
	$cidr->add_range($range);
  }
}
close (MYFILE);
my $index = 0;
my @cidr_list = $cidr->list;
foreach my $block ( @cidr_list ) {
	if ( $index % $limit == 0 ) {
		close (OUT);
		new_file;
	}
	print OUT $block,"\n";
	$index++;
}
close (OUT);</myfile>

Since my platform is not x64, and only have 256MB of RAM, I am not sure the new patch will fix the memory allocation issue for me… I am running with 60% memory used on average. Right now I am using a 60,000 lines as my maximum. 100,000 would seem to fail on some occasions.