PfBlockerNG

BBcan177

@panz:

I deleted them from the pfBlockerNGSuppress Alias, but the widget always reports them as suppressed

@wcrowder:

Panz, I followed through your posts and tried to duplicate what you described. I couldn't do it. Worked as expected, have you had any more problems with this?

I could not duplicate this issue in my testing. If I delete an IP is the pfBlockerNGSuppress Alias and run a "Force Update" the widget gets updated accordingly. If I add an IP and "Force Update", it also updates accordingly. However, if you clear all the IPs in the Suppress Alias, and "Force Update", it doesn't clear the Count in the widget. I have a fix, but will add this to the next version, as its more cosmetic and does not affect the "Suppression" function.

panz

Yes, I can duplicate this issue. It goes away if I manually delete the Alias.

Heisenberg1977

Even after clearing the firewall logs this alert gets generated at 5:10am every day generating from my physical host windows box. From the system logs the only thing that I see running at that ungodly hour is the adobe flash updater. In the firewall logs there are 9 outbound attempts with my WAN address listed as the destination. I am using the reputation feature of pfBlockerNG but still can't figure out why my LAN IP of 192.168.1.200 would get blocked.

So far so good with the block lists but one thing that is perplexing me in the alert logs is a random alert that has been generated a few times over a 24 hour period.

If you make rule changes, this can re-order the Rule Numbers, and the logs can become out of sync. Clear the Firewall log and it should be fine after that!

BBcan177

@Heisenberg1977:

The rule being triggered links to a blacklist that I am using from infiltrated.net. In the list column it shows "No Match". Can you explain what this means?

Hi Heisenberg1977,

I can't see the Destination IP as you have obfuscated it.

Try to run the one of the following commands from the shell or from the GUI Diagnostics:Command :

[ Using [b]1.2.3.4 as an IP, change it to reflect the IP that is in question ]

grep "^1.2.3." /var/db/aliastables/pfB_Infiltratednet.txt
    or
          grep "^1.2." /var/db/aliastables/pfB_Infiltratednet.txt
    or
          grep "^1." /var/db/aliastables/pfB_Infiltratednet.txt

I assume that the IP being blocked is in a large CIDR that the Alerts tab is not matching. You will have to sift tru the output and see if you can find a match.

Note - you can also try changing the path/folder to the following if you have multiple Lists inside an Alias, as the  /var/db/aliastables  folder is a compilation of all the lists in an alias.

/var/db/pfblockerng/deny/*

or You can view the Aliastable in the Log Browser, and scroll tru the list to see what IP CIDR is the cause of the Block.

BBcan177

@panz:

Yes, I can duplicate this issue. It goes away if I manually delete the Alias.

Can you confirm that adding/removing a single IP doesn't update the widget Suppress count (following a "Force Update") or is the issue removing all of the IPs in an Alias? Are you hitting "Save" and then "Apply" to save the Alias after making changes? This is a full install of pfSense correct? Its not a Nano, or Ramdisk Install?

panz

@BBcan177:

@panz:

Yes, I can duplicate this issue. It goes away if I manually delete the Alias.

Can you confirm that adding/removing a single IP doesn't update the widget Suppress count (following a "Force Update") or is the issue removing all of the IPs in an Alias? Are you hitting "Save" and then "Apply" to save the Alias after making changes? This is a full install of pfSense correct? Its not a Nano, or Ramdisk Install?

I can confirm that removing (for example) eight out of ten IPs from the Alias, the widget doesn't update the number correctly. Yes, I always commit a "Force Update" and even a reboot. It's a ful install of pfSense (see my signature for hardware reference).

panz

Update: I did a complete software reinstall and the problem went away.

Heisenberg1977

I found my WAN IP contained in the Infiltrated Web Attackers list. I've been leased this IP for a while now. The description in the list says that it is compiled on an hourly basis. I am now questioning the accuracy of the list. I don't believe that anything malicious is originating from inside my network. Then again, I could be wrong.

I can't see the Destination IP as you have obfuscated it.

Try to run the one of the following commands from the shell or from the GUI Diagnostics:Command :

[ Using [b]1.2.3.4 as an IP, change it to reflect the IP that is in question ]

grep "^1.2.3." /var/db/aliastables/pfB_Infiltratednet.txt
    or
          grep "^1.2." /var/db/aliastables/pfB_Infiltratednet.txt
    or
          grep "^1." /var/db/aliastables/pfB_Infiltratednet.txt

I assume that the IP being blocked is in a large CIDR that the Alerts tab is not matching. You will have to sift tru the output and see if you can find a match.

Note - you can also try changing the path/folder to the following if you have multiple Lists inside an Alias, as the  /var/db/aliastables  folder is a compilation of all the lists in an alias.

/var/db/pfblockerng/deny/*

or You can view the Aliastable in the Log Browser, and scroll tru the list to see what IP CIDR is the cause of the Block.

BBcan177

@Heisenberg1977:

I found my WAN IP contained in the Infiltrated Web Attackers list

Send an email to    webattackers  @  infiltrated [dot]  net    and ask to be taken off the list. As a safe measure, you can always add your WAN ip to the suppress list.

Infiltrated is run by  J. Oquendo

Some of his recent posts…
  http://seclists.org/nanog/2015/Feb/326
  http://seclists.org/nanog/2015/Feb/351

Bummer

BBcan177,

You're the man! He has an answer for everything!  :)

Heisenberg1977

Yes for sure. BBCan177 I will be making a contribution for your efforts soon. I am a big fan of pfBlockerNG.

Now I am concerned that my leased IP is on a web attackers blacklist. I am hoping to find the time to configure Splunk as a SIEM. In the meantime I am trying to look into a few entries found in the logs to determine the source. I installed the Sysinternals SysMon tool so that I could get a verbose look at network connections originating from my Windows box but I cannot find a few of the entries that are being flagged in pfBlockerNG. Take for instance a http call out to 184.168.229.128 is flagged by the Alienvault blocklist. I thought I could trace back by source port in syslog but it is nowhere to be found in my event logs. Any ideas?

BBcan177

Hi Heisenberg1977,

In the Alerts Tab, you can click on the "!" icon for any alerted IP and it will open a second page which does a DNS Resolve. Clicking on "DNS Lookup" will open a page with several Sites where you can lookup the IP to gather some intel.

I am a big fan of "Security Onion"… You should check it out!

http://blog.securityonion.net/p/securityonion.html
  https://code.google.com/p/security-onion/wiki/IntroductionToSecurityOnion

Heisenberg1977

I just found the lookup feature a few minutes before you posted it. Real nice!. I'm still searching for a good Windows tool that will allow me to have a granular look at all network activity. Sysmon's ability to write to the event logs is great as it gives the ability to easily go back and search. It's logging a lot of stuff but my search did not pick up anything with destination address 184.168.x.x unfortunately.

BBcan177

Try the pfSense package ntopng…

kilthro

Wow this package has really taken off. I have been away from all of this for a while. I had to reinstall my firewall and noticed that pfblocker (original wasnt a package anymore). I got this installed and I am amazed with what you can do.. I do have a quick question though.. How would i go about pulling all of the custom ips that I had set up in lists in the old pfblocker? I have the backed up config file for pfsense.. Am I able to pull them out of that somehow? I had some very extensive lists that I would like to duplicate on this pacakge without having to manually search and locate all of the ips again…

Good Job on this package bbcan! Sorry i fell off on the beta testing.. just got super busy with work and never had the opportunity to play with it.

BBcan177

@kilthro:

How would i go about pulling all of the custom ips that I had set up in lists in the old pfblocker?

If you goto Diagnostics:Command Prompt in the GUI -

And in the PHP Execute Box type :

print base64_decode("  coded String  ");

So you will need to view the config.xml file (or the Backup file) and find the old pfBlocker Alias and look for the line "coded string" and copy the "coded string" part …

It will output the decoded string to the Screen.

Hope this helps!

kilthro

@BBcan177:

@kilthro:

How would i go about pulling all of the custom ips that I had set up in lists in the old pfblocker?

If you goto Diagnostics:Command Prompt in the GUI -

And in the PHP Execute Box type :

print base64_decode("  Decoded String  ");

So you will need to view the config.xml file (or the Backup file) and find the old pfBlocker Alias and look for the line "decoded string" and copy the "decoded string" part …

It will output the decoded string to the Screen.

Hope this helps!

Thanks alot!! I got most of them from that section that all of these are kept at. However when trying to get the custom ips I copied the code that is beteen the and I am getting.

Parse error: syntax error, unexpected end of file in /usr/local/www/exec.php(250) : eval()'d code on line 2

I copied exactly what was there. I used notepad to copy as well as adobe dreamworks since it formats it as it should… same result.. Am i doing it wrong?
===== edit=======

Well i just did a round about way.. Since I restored off of the config file, the pfblocker folder is there in my hierarchy.. I went into it and there is a txt file that has the list there.. I just opened it and copied the info out of it.. So I am good now..
Thanks for your help!!

BBcan177

@kilthro:

Parse error: syntax error, unexpected end of file in /usr/local/www/exec.php(250) : eval()'d code on line 2

Make sure the Coded string that you copied is pasted inside the quotation marks and at the end of the command there is the semi-colon.

kilthro

@BBcan177:

@kilthro:

Parse error: syntax error, unexpected end of file in /usr/local/www/exec.php(250) : eval()'d code on line 2

Make sure the Decoded string that you copied is pasted inside the quotation marks and at the end of the command there is the semi-colon.

ah.. that was my mistake.. works like a charm now.. :-D

BBcan177

News - Emerging Threats acquired by Proofpoint? Wonder what this means for the Open Rulesets and lists?

https://proofpoint.com/us/proofpoint-signs-definitive-agreement-acquires-emerging-threats?utm_campaign=Project+Erie&utm_source=hs_email&utm_medium=email&utm_content=16303236&_hsenc=p2ANqtz-8E0j1nitfkn_rbVyujlv55UteYuZ9GuEWyH3Wlqv6AeMtvS1oRNnbvgA1qSFYfgAgV456PhtiJ7L2-_RZjlyTZ-EOTWA&_hsmi=16303236