Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    PfBlocker - Block Hit Counter

    Scheduled Pinned Locked Moved pfSense Packages
    17 Posts 5 Posters 4.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • BBcan177B
      BBcan177 Moderator
      last edited by

      pfBlocker - Block Hit Counter and SRI BOThunter Lookup Tool.

      The following script reads the /var/log/filter.log file to count the number of blocks for each interface and report back the count and also to complete a SRI BotHunter lookup.

      The script can be run from the EMAIL Reports Manager so you could get a Daily report or it can be manually run from the SSH Shell.

      Here is what the output looks like -

      [ Each Section contains ]

      *  It will report the Blocks from the highest to lowest count found.
        *  Lists all pfBlocker Lists that contain the Blocked IP Address. (It searches by the first 3 octets of the IP as the lists may contain CIDR or IP Ranges)
        *  The EVENT Detail [ SRC IP, src port, DST IP and dst port ]
        *  Total number of Blocked events
        *  SRI BOTHuner lookup of the address

      This will repeat for each blocked address seperated by Interface that are found.
      If the address is not found; IP was blocked by a FW rule, or it was removed by an update to the pfBlocker list.

      [EXAMPLE]

      
       ==========================================================
       pfBlockerAtlas.txt:176.32.101.4/32
       pfBlockerOther.txt:176.32.101.4/32
       pfBlockerOther.txt:176.32.101.129/32
       pfBlockerOther.txt:176.32.101.68/32
       pfBlockerOther.txt:176.32.101.137/32
       pfBlockerOther.txt:176.32.101.81/32
      
       EVENT [ 10.x.x.x.43595 > 176.32.101.137.80 ]
      
       Blocked ip [ 176.32.101.137 ] on bge0, found [ 1 ] times
       ---------------------------------------------------------
            IP Address         = 176.32.101.137
            Threat Level       = High
            Threat Category    = Malware Propagator
            Threat Description = Malware drive-by exploit site
            Hostname           =
            Service Provider   = AMAZON DATA SERVICES IRELAND LTD
            Domain Name        = AMAZON.COM
            ASN Number         =
            ASN Name           =
            Network Speed      = COMP
            Country CC         = IE
            Country            = IRELAND
            Region             = DUBLIN CITY
            City               = DUBLIN
            Longitude          = -6.26718997955322
            Latitude           = 53.3439903259277
      
       ==========================================================
      
       pfBlockerAlienvault.txt:87.106.52.0/24
       pfBlockerET.txt:87.106.52.92/32
       pfBlockerOther.txt:87.106.52.92/32
       pfBlockerSFS.txt:87.106.52.0/24
      
       EVENT [ 87.106.52.183.58757 > 10.x.x.x.25 ]
      
       Blocked ip [ 87.106.52.183 ] on bce0, found [ 4 ] times
       ---------------------------------------------------------
            IP Address         = 87.106.52.183
            Threat Level       = Unverified
            Threat Category    =
            Threat Description =
            Hostname           =
            Service Provider   = 1&1 INTERNET AG
            Domain Name        = 1AND1.CO.UK
            ASN Number         =
            ASN Name           =
            Network Speed      = COMP
            Country CC         = DE
            Country            = GERMANY
            Region             = BADEN-WURTTEMBERG
            City               = KARLSRUHE
            Longitude          = 8.38582992553711
            Latitude           = 49.0047187805176
      
       ========================================================== 
       pfBlockerAlienvault.txt:62.112.100.0/24 
       pfBlockerdBlock.txt:62.112.100.0/24 
       pfBlockerinfiltrated.txt:62.112.100.44/32  
      
       EVENT [ 62.112.100.44.60635 > 10.x.x.x.25 ]  
      
       Blocked ip [ 62.112.100.44 ] on bce0, found [ 4 ] times
       --------------------------------------------------------- 
      
       IP Address = 62.112.100.44 
       Threat Level = Unverified 
       Threat Category = Malware Propagator 
       Threat Description = Malware drive-by exploit site 
       Hostname = spd44.rdc.ru 
       Service Provider = IM 
       Domain Name = - 
       ASN Number = 25513 
       ASN Name = ASN-MGTS-USPD OJS Moscow city telephone network 
       Network Speed = COMP 
       Country CC = RU 
       Country = RUSSIAN FEDERATION 
       Region = - 
       City = - 
       Longitude = 37.5830001831055 
       Latitude = 55.75
      
       ==========================================================
      
      

      NOTE

      [1]

      To use the script, the Firewall logs need to be formated to one line entries with a patch.

      Jimp has provided a patch to allow pfSense to send its syslogs to a remote Syslog software.
        This functionality allows the script to lookup the required data for each Block.

      From pfSense add "System Patches" from the "Avalable Packages" repository.
        In the System:Patches menu, select "+" and add a new patch

      If you're on 2.1, add this patch:
        http://files.pfsense.org/jimp/patches/pf-log-oneline-option.diff

      If you're on 2.0.x, use this patch instead:
        http://files.pfsense.org/jimp/patches/pf-log-oneline-option-2.0.x.diff

      Once you have entered the patch details, you need to "Fetch" and than "Apply"

      (HELP LINK) https://doc.pfsense.org/index.php/System_Patches

      Finally. check the box on the system log settings to force the firewall logs to one line.
        The script will not report any Blocked Addresses prior to this patch being made active.

      [2]

      The easiest way to use the Script is to Install the pfSense package "Filer" using the Package Manager.
      This way you can add the script to pfSense from the WEB GUI and will allow the script to be saved in the
      pfsense .conf file.

      In "Filer", add a new entry, [File] enter the path    /home/user/pfcount  (Change "user" to your user folder)
                                              [Desc] pfCount
                                              [Perm] 755

      Paste the SCRIPT below into the "File Contents Box"
                                              Select "Background and Save"

      [3]

      Use the package "MAIL Report" to allow running the script and sending the data via email.
      Add a new Report, Save, reopen the report and in the "Report Commands" add the path to the script as above.
      Save, select "Send Now" to check if the script is functioning properly. You will get an email.
      Please ensure you add your email credentials in Advanced:Notification on the Web GUI for the email function to work.

      Make sure the report is run at the end of the day as it will only report the current days events. This can be changed by removing lines with
      grep "$event" so that it will report all IP addresses that are blocked in the filter.log

      [4]

      The script can use a "Whitelist" file, so you can exclude IP address(es).

      You will need to change this line in the Script, to use your local user folder

      whitelist=/home/user/whitelist

      (The whitelist file can also be edited in the "Filer" Program.

      Here is the script

      
      #!/bin/sh
      
      banner=" =========================================================="
      event=$(date +%b" "%d)
      
      log=/var/log/filter.log
      lists=/var/db/aliastables/*
      whitelist=/home/user/whitelist
      
      int=$(grep -ao 'block in on.*: (' $log | sed 's/block in on//' | sed 's/: (//' | sort | uniq)
      
      block()
      {
      blockip=$(grep -a "block in on $1" $log | grep "$event" |
              grep -oE "[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}" |
              sed -r 's/(10)(\.([2][0-5][0-5]|[1][0-9][0-9]|[1-9][0-9]|[0-9])){3}'/p.p.p.p/g |
              sed -r 's/(172)\.(1[6-9]|2[0-9]|3[0-1])(\.([2][0-5][0-5]|[1][0-9][0-9]|[1-9][0-9]|[0-9])){2}'/p.p.p.p/g |
              sed -r 's/(192)\.(168)(\.([2][0-5][0-5]|[1][0-9][0-9]|[1-9][0-9]|[0-9])){2}'/p.p.p.p/g |
              sed -r 's/224\.0\.0\..*'/p.p.p.p/g |
              sed -r 's/239\.255\.255\..*'/p.p.p.p/g |
              grep -v "p.p.p.p" |
              grep -vxf $whitelist |
              sort -nr |
              uniq -c |
              sort -nr |
              cut -c 6-)
      }
      
      for a in $int; do
              block "$a"
              echo "$banner"
              echo " The Following Address(es) were Blocked on Interface $a on $event"
              echo "$banner"
              echo
              echo -e "$blockip\n"
              echo
      
              for i in $blockip; do
                      ii=$(echo $i | cut -d"." -f1-3)
                      blist=$(grep ^$ii $lists | sed 's/\/var\/db\/aliastables\// /g')
                      if [ -z "$blist" ]; then blist=" Address not found in any current lists"; fi
                      dlist=$(grep -a $i $log | grep "$event" | grep -oE "[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}.*:" | sed 's/\://g' | sort | uniq -f 5)
                      count=$(grep -a "block in on $a" $log | grep "$event" | grep -o "$i" | wc -l | sed -e 's/ *//')
                      echo
                      echo "$banner"
                      echo -e "$blist\n"
                      echo -e " EVENT [ $dlist ]\n"
                      echo " Blocked IP [ $i ] on $a, found [ $count ] times"
                      wget -qO- "http://kb.bothunter.net/ipInfo/nowait.php?IP=$i" | tail +3 | head -17 | sed -r 's/<\/{0,1}b>//g'
                      echo
              done
      done
      
      

      "Experience is something you don't get until just after you need it."

      Website: http://pfBlockerNG.com
      Twitter: @BBcan177  #pfBlockerNG
      Reddit: https://www.reddit.com/r/pfBlockerNG/new/

      1 Reply Last reply Reply Quote 0
      • BismarckB
        Bismarck
        last edited by

        Hi, is this still working? Tried it with 2.1.2 but no luck, even the patch from http://files.pfsense.org/jimp/patches/pf-log-oneline-option-2.1.1.diff applies without a error.

        1 Reply Last reply Reply Quote 0
        • BBcan177B
          BBcan177 Moderator
          last edited by

          @Bismarck:

          Hi, is this still working? Tried it with 2.1.2 but no luck, even the patch from http://files.pfsense.org/jimp/patches/pf-log-oneline-option-2.1.1.diff applies without a error.

          Hi Bismarck,

          The 2.1.1 patch is working for me on 2.1.2

          What issue are you having, can you be more specific?

          Thanks.

          "Experience is something you don't get until just after you need it."

          Website: http://pfBlockerNG.com
          Twitter: @BBcan177  #pfBlockerNG
          Reddit: https://www.reddit.com/r/pfBlockerNG/new/

          1 Reply Last reply Reply Quote 0
          • P
            Pistolero
            last edited by

            Thank you for the script!

            I don;t think it is working for me, though. I applied the 2.1.1 patch on 2.1.3, enabled one-line logging in log settings, and touched the whitelist file. I did that about 3 hours ago. Still, all I get form the script is this:

            ==========================================================
            The Following Address(es) were Blocked on Interface re0 on May 05

            ==========================================================
            The Following Address(es) were Blocked on Interface re1 on May 05

            I am running 2.1.3 x64 and I have a TON of block lists in PFBlocker.

            Can you please assist in troubleshooting?

            1 Reply Last reply Reply Quote 0
            • BBcan177B
              BBcan177 Moderator
              last edited by

              Hi Pistolero,

              I think I see the issue, for some reason the logs have changed in pfSense or I didn't test it on a singular date. The Date function used a Zero filled value when it needs a single digit variable. Need to change the "d" date variable to an "e" variable.

              Change this line

              event=$(date +%b" "%d)

              to

              event=$(date +%b" "%e)

              Save and try it again.

              "Experience is something you don't get until just after you need it."

              Website: http://pfBlockerNG.com
              Twitter: @BBcan177  #pfBlockerNG
              Reddit: https://www.reddit.com/r/pfBlockerNG/new/

              1 Reply Last reply Reply Quote 0
              • BismarckB
                Bismarck
                last edited by

                @BBcan17:

                Hi Pistolero,

                I think I see the issue, for some reason the logs have changed in pfSense or I didn't test it on a singular date. The Date function used a Zero filled value when it needs a single digit variable. Need to change the "d" date variable to an "e" variable.

                Change this line

                event=$(date +%b" "%d)

                to

                event=$(date +%b" "%e)

                Save and try it again.

                Hi BBcan17, I have the same problem as Pistolero which is no blocks shown. And where do we need to change those line? I cant fin that in pf-log-oneline-option-2.1.1.diff ???

                1 Reply Last reply Reply Quote 0
                • BBcan177B
                  BBcan177 Moderator
                  last edited by

                  Hi Bismarck,

                  You need to change that in the pfcount script. It's near the top of the script. Line 4.

                  If you followed the original instructions, you can edit it in the filer package.

                  "Experience is something you don't get until just after you need it."

                  Website: http://pfBlockerNG.com
                  Twitter: @BBcan177  #pfBlockerNG
                  Reddit: https://www.reddit.com/r/pfBlockerNG/new/

                  1 Reply Last reply Reply Quote 0
                  • BismarckB
                    Bismarck
                    last edited by

                    Works great now! Thanky you!

                    Command output: pfBlocker Hit Counter (/stuff/pfcount)

                    ==========================================================
                    The Following Address(es) were Blocked on Interface bce0 on May  6

                    61.174.51.200
                    213.113.206.131

                    ==========================================================
                    pfBlockerEmerging_OPFAS.txt:61.174.51.194/32
                    pfBlockerEmerging_OPFAS.txt:61.174.51.195/32
                    pfBlockerEmerging_OPFAS.txt:61.174.51.196/32
                    pfBlockerEmerging_OPFAS.txt:61.174.51.197/32
                    pfBlockerEmerging_OPFAS.txt:61.174.51.198/32
                    pfBlockerEmerging_OPFAS.txt:61.174.51.199/32
                    pfBlockerEmerging_OPFAS.txt:61.174.51.200/32
                    pfBlockerEmerging_OPFAS.txt:61.174.51.201/32
                    pfBlockerEmerging_OPFAS.txt:61.174.51.202/32
                    pfBlockerEmerging_OPFAS.txt:61.174.51.203/32
                    pfBlockerEmerging_OPFAS.txt:61.174.51.204/32
                    pfBlockerEmerging_OPFAS.txt:61.174.51.205/32
                    pfBlockerEmerging_OPFAS.txt:61.174.51.207/32
                    pfBlockerEmerging_OPFAS.txt:61.174.51.208/32
                    pfBlockerEmerging_OPFAS.txt:61.174.51.209/32
                    pfBlockerEmerging_OPFAS.txt:61.174.51.210/32
                    pfBlockerEmerging_OPFAS.txt:61.174.51.211/32
                    pfBlockerEmerging_OPFAS.txt:61.174.51.212/32
                    pfBlockerEmerging_OPFAS.txt:61.174.51.213/32
                    pfBlockerEmerging_OPFAS.txt:61.174.51.214/32
                    pfBlockerEmerging_OPFAS.txt:61.174.51.215/32
                    pfBlockerEmerging_OPFAS.txt:61.174.51.216/32
                    pfBlockerEmerging_OPFAS.txt:61.174.51.217/32
                    pfBlockerEmerging_OPFAS.txt:61.174.51.218/32
                    pfBlockerEmerging_OPFAS.txt:61.174.51.219/32
                    pfBlockerEmerging_OPFAS.txt:61.174.51.220/32
                    pfBlockerEmerging_OPFAS.txt:61.174.51.221/32
                    pfBlockerEmerging_OPFAS.txt:61.174.51.222/32
                    pfBlockerEmerging_OPFAS.txt:61.174.51.223/32
                    pfBlockerEmerging_OPFAS.txt:61.174.51.224/32
                    pfBlockerEmerging_OPFAS.txt:61.174.51.225/32
                    pfBlockerEmerging_OPFAS.txt:61.174.51.226/32
                    pfBlockerEmerging_OPFAS.txt:61.174.51.227/32
                    pfBlockerEmerging_OPFAS.txt:61.174.51.228/32
                    pfBlockerEmerging_OPFAS.txt:61.174.51.229/32
                    pfBlockerEmerging_OPFAS.txt:61.174.51.230/32
                    pfBlockerEmerging_OPFAS.txt:61.174.51.232/32
                    pfBlockerEmerging_OPFAS.txt:61.174.51.233/32
                    pfBlockerEmerging_OPFAS.txt:61.174.51.234/32
                    pfBlockerEmerging_OPFAS.txt:61.174.51.235/32

                    EVENT [ 61.174.51.200.6000 > 213.252.49.13.22 ]

                    Blocked IP [ 61.174.51.200 ] on bce0, found [ 1 ] times
                    –-------------------------------------------------------
                          IP Address        = 61.174.51.200
                          Threat Level      = High
                          Threat Category    = Malware Propagator
                          Threat Description = Malware scan and infect source
                          Hostname          =
                          Service Provider  = CHINANET-ZJ HUZHOU NODE NETWORK
                          Domain Name        = CHINATELECOM.COM.CN
                          ASN Number        =
                          ASN Name          =
                          Network Speed      = DSL
                          Country CC        = CN
                          Country            = CHINA
                          Region            = ZHEJIANG
                          City              = HANGZHOU
                          Longitude          = 120.161422729492
                          Latitude          = 30.2936496734619

                    ==========================================================
                    Address not found in any current lists

                    EVENT [ 213.113.206.131.1248 > 213.252.49.13.23 ]

                    Blocked IP [ 213.113.206.131 ] on bce0, found [ 1 ] times
                    –-------------------------------------------------------
                          IP Address        = 213.113.206.131
                          Threat Level      = Unverified
                          Threat Category    =
                          Threat Description =
                          Hostname          =
                          Service Provider  = B2 BREDBAND AB
                          Domain Name        = BREDBAND.COM
                          ASN Number        =
                          ASN Name          =
                          Network Speed      = DSL
                          Country CC        = SE
                          Country            = SWEDEN
                          Region            = VARMLANDS LAN
                          City              = KARLSTAD
                          Longitude          = 13.5035696029663
                          Latitude          = 59.3792991638184

                    ==========================================================
                    The Following Address(es) were Blocked on Interface bce1 on May  6

                    ==========================================================
                    The Following Address(es) were Blocked on Interface bce2 on May  6

                    But it would be nice to have just the IPs listed, which are blocked and not all in that segment, see above.

                    Anyway thank you very much. :)

                    1 Reply Last reply Reply Quote 0
                    • P
                      Pistolero
                      last edited by

                      Damn, you're good! That did the trick! Thank you!

                      @BBcan17:

                      Hi Pistolero,

                      I think I see the issue, for some reason the logs have changed in pfSense or I didn't test it on a singular date. The Date function used a Zero filled value when it needs a single digit variable. Need to change the "d" date variable to an "e" variable.

                      Change this line

                      event=$(date +%b" "%d)

                      to

                      event=$(date +%b" "%e)

                      Save and try it again.

                      1 Reply Last reply Reply Quote 0
                      • P
                        Pistolero
                        last edited by

                        Hi BBcan,

                        I LOVE YOUR SCRIPT!!!

                        Can I humbly request the addition of an option to enable name resolution for the IPs listed in the report? It would help me greatly to troubleshoot a stupid app which will not work and I don't know what is blocking it.

                        Thank you sir!

                        1 Reply Last reply Reply Quote 0
                        • BBcan177B
                          BBcan177 Moderator
                          last edited by

                          Hi Pistolero,

                          Thanks. The BotHunter lookup should provide all of the Name Resolution. Typically if it doesn't report some of the details, then the IP is most likely malicious or the Bothunter doesnt have it in its database.

                          Can you post the IP and the Bothunter report for the one that's causing you an issue?

                          If you want a quick and dirty method to see what Blocklist has an certain IP, you can do the following command in an SSH shell or from the Diagnostics:Command Prompt.

                          grep "x.x.x.x" /var/db/aliastables/*

                          or just search with the (x.x.x.) First Three octets as the IP address you want to find as the address could be in a CIDR Range.

                          @Bismarck et al

                          You can modify the script with these lines so it will report less Lines in the output.

                          The first line has the ^$ii changed to ^$i and the next lines is new.

                          blist=$(grep ^$i $lists | sed 's//var/db/aliastables// /g')
                                          if [ -z "$blist" ]; then blist=$(grep ^$ii $lists | sed 's//var/db/aliastables// /g'); fi

                          "Experience is something you don't get until just after you need it."

                          Website: http://pfBlockerNG.com
                          Twitter: @BBcan177  #pfBlockerNG
                          Reddit: https://www.reddit.com/r/pfBlockerNG/new/

                          1 Reply Last reply Reply Quote 0
                          • P
                            Pistolero
                            last edited by

                            Hi BBcan!

                            I am really missing your awesome script on 2.2! Any idea how to make it work?

                            Thanks!

                            1 Reply Last reply Reply Quote 0
                            • Q
                              q54e3w
                              last edited by

                              Check out BBCans recent pfblockerNG package - I think that will do what you want.

                              1 Reply Last reply Reply Quote 0
                              • BBcan177B
                                BBcan177 Moderator
                                last edited by

                                @Pistolero:

                                Hi BBcan!

                                I am really missing your awesome script on 2.2! Any idea how to make it work?

                                Thanks!

                                Its been awhile since I looked at that… Are you using pfBlockerNG? Maybe that will provide all you need?

                                "Experience is something you don't get until just after you need it."

                                Website: http://pfBlockerNG.com
                                Twitter: @BBcan177  #pfBlockerNG
                                Reddit: https://www.reddit.com/r/pfBlockerNG/new/

                                1 Reply Last reply Reply Quote 0
                                • P
                                  Pistolero
                                  last edited by

                                  @BBcan177:

                                  @Pistolero:

                                  Hi BBcan!

                                  I am really missing your awesome script on 2.2! Any idea how to make it work?

                                  Thanks!

                                  Its been awhile since I looked at that… Are you using pfBlockerNG? Maybe that will provide all you need?

                                  I have tried pfBlockerNG, but I am currently unable to make it work (get the dreaded "-" in the packet list, and multiple errors downloading the lists. If time permits I'll make a post on the NG thread about my woes with it…

                                  Thank you, sir!

                                  1 Reply Last reply Reply Quote 0
                                  • W
                                    wcrowder
                                    last edited by

                                    I've installed then reinstalled pfBlockerNG so many times it would make you laugh. What are the errors your getting and what do the logs say? I started with BB's script, this is it, only better. Yell out and I can quickly get you up an running.

                                    @Pistolero:

                                    @BBcan177:

                                    @Pistolero:

                                    Hi BBcan!

                                    I am really missing your awesome script on 2.2! Any idea how to make it work?

                                    Thanks!

                                    Its been awhile since I looked at that… Are you using pfBlockerNG? Maybe that will provide all you need?

                                    I have tried pfBlockerNG, but I am currently unable to make it work (get the dreaded "-" in the packet list, and multiple errors downloading the lists. If time permits I'll make a post on the NG thread about my woes with it…

                                    Thank you, sir!

                                    1 Reply Last reply Reply Quote 0
                                    • P
                                      Pistolero
                                      last edited by

                                      hi wcrowder!

                                      I really appreciate your offer to assist. I am overseas (In Medellin, Colombia, actually), and will be back home on March 5th. BBCan, as awesome as he is, also offered to help (you guys rock! thank you!).

                                      If you can, It'd be awesome to have a TeamViewer or WebEx session on or after march 5th. If you are unable to, I'll gather logs and shoot 'em over your way. I'm sure it's not working due to something stupid I did :P

                                      Again, thank you and have a great weekend, sir!

                                      1 Reply Last reply Reply Quote 0
                                      • First post
                                        Last post
                                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.