OPNsense Forum

Archive => 17.1 Legacy Series => Topic started by: rhyse on May 25, 2017, 10:59:21 pm

Title: Malware Patrol Lists
Post by: rhyse on May 25, 2017, 10:59:21 pm
Hi

Firstly thanks for the project.

I am trying to use the Malware Patrol lists in the "Remote ACLs" section of the Web Proxy service, in particular I am looking at thier Ransomware Block lists (Would like their Malicious URL feeds at some point). The issue is I am unable to get the lists into Squid. I think it has to do with the "header" on their files, is there a way to update the the "download" script to cater for this ? (I dont know where to find the script, so I may be able to tinker if I know where it is. But I am no programmer etc)

Files look along the lines of

This one is from a squidguard formated list
===
#
#        Malware Patrol - Block List - https://www.malwarepatrol.net
#
#   Please do not update this list more often then every day.
#
#   Copyright (c)  2014 - Andre Correa - Malware Patrol - Malware Block List
#   This information is provided as-is and under the Terms and Conditions
#   available in the following address:
#
#   https://www.malwarepatrol.net/terms.shtml
#
#   Using this information indicates your agreement to be bound by these
#   terms. If you do not accept them, please delete this file immediately.
#
#   You can report false positives or broken rules/signatures to:
#   fp (a t) malwarepatrol.net
#
#   Cdmk5j392k2mcldleoqi44m3k1928rma
#

aakwbrbjtqja.co.uk/
aalgiftswdyhvj.net/
aanrhfftgveq.ru/
aasyjiubathqd.info/
...
...
...
yxxebtrcenbm.info/
yynleigitdls.biz/
====

Ths is from a SQUID formated list
====
#
#        Malware Patrol - Block List - https://www.malwarepatrol.net
#   List for Squid
#   Generated at: 20170525195759 UTC
#
#   Please do not update this list more often than every hour.
#
#   Copyright (c)  2017 - Andre Correa - Malware Patrol - Malware Block List
#   This information is provided as-is and under the Terms and Conditions
#   available in the following address:
#
#   https://www.malwarepatrol.net/terms.shtml
#
#   Using this information indicates your agreement to be bound by these
#   terms. If you do not accept them, please delete this file immediately.
#
#   You can report false positives or broken rules/signatures to:
#   fp (a t) malwarepatrol.net
#
#   Kn2su6fOsZ5fnhesG2hPPMDDDX3LYM3y
#


^http\:\/\/(.+@)?(.+.)?018fe96b-a-62cb3a1a-s-sites\.googlegroups\.com
^http\:\/\/(.+@)?(.+.)?01iki0sx\.15311223344\.com
^http\:\/\/(.+@)?(.+.)?02307\.net
...
...
^http\:\/\/(.+@)?(.+.)?zzzwcbpvsn\.centade\.com
====

I have had a look at the resultant files that get created and essentially (I dont have a copy to hand), it doesn't get past the "header"

EDIT
====
Resultant File Example Below
====
root@unfw01:/usr/local/etc/squid/acl # cat squidguard
.#
.#      terms. if you do not accept them, please delete this file immediately.
.#      please do not update this list more often than every hour.
.#      available in the following address:
.#      using this information indicates your agreement to be bound by these
.#      generated at: 20170525175853 utc
.#      copyright (c)  2017 - andre correa - malware patrol - malware block list
.#      fp (a t) malwarepatrol.net
.#      this information is provided as-is and under the terms and conditions
.#      list for squidguard - urls
.#      kn2su6fosz5fnhesg2hppmdddx3lym3y
root@unfw01:/usr/local/etc/squid/acl #
====

Malware Patrol provide a working example at the following location: http://www.malware.com.br/MalwarePatrolDownload.sh

Any help/advise is appreciated

Thanks
Title: Re: Malware Patrol Lists
Post by: rhyse on May 31, 2017, 01:00:27 am
Hi

So i have found another list (differnet provider) that doesn't have a "header" to the file. That seems to be working fine.

I have also found /usr/local/opnsense/scripts/proxy/fetchACLs.py - is this the correct file to be looking at?

Traditionally from bash (previous solutions) I would just do something like "sed '/^#/ d'" to filter those lines out

Any help is appreciated
Title: Re: Malware Patrol Lists
Post by: mimugmail on May 31, 2017, 10:08:28 am
You could also include the FireHole_Level1 list in your Firewall rules to add additional protection.

http://iplists.firehol.org/

Include like this:

https://docs.opnsense.org/manual/how-tos/edrop.html

(It also includes edrop etc.)
Title: Re: Malware Patrol Lists
Post by: rhyse on May 31, 2017, 11:31:30 pm
Hi

Thanks for the tip, have set them up. but does pose the question on how best to use floating rules. Need to figure that one out with multiple wans and lans.

Thanks