Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Topics - rhyse

#1
18.7 Legacy Series / Logging data length
January 23, 2019, 01:55:58 PM
Hi

I am having an issue, whereby all TCP connections are showing a data-length of 0, in the logs.

The UDP and ICMP logs seem to be returning the values, although icmp could do with dropping the string "datalength="


TCP log - I assume data size should be the field after "443" (destination port) and before the "SEC" (meant to be TCP-Flags)
filterlog: 74,,,0,vmx1,match,pass,out,4,0x2,0,127,27104,0,DF,6,tcp,52,192.168.0.22,54.225.132.4,7680,443,0,SEC,362891810,,8192,,mss;nop;wscale;nop;nop;sackOK

UDP data size last entry
filterlog: 74,,,0,vmx1,match,pass,out,4,0x0,,64,4717,0,none,17,udp,96,192.168.0.22,9.9.9.9,52596,53,76

ICMP data size last entry
filterlog: 65,,,0,vmx1,match,pass,out,4,0x0,,63,21011,0,none,1,icmp,56,192.168.105.11,192.168.105.1,datalength=36

Now I may be completely reading the logs wrong, but I just can't seem to figure it out

Any help or clarification is appreciated

Thanks
PS: I have been reviewing the log format against https://www.netgate.com/docs/pfsense/monitoring/filter-log-format-for-pfsense-2-2.html
#2
Development and Code Review / Seemingly Simple Plugin
February 05, 2018, 11:31:56 PM
Hi

I am trying to create a simple plugin that takes a variable then outputs the output to the screen. I have tried bastardising teh arp-scanner plugin but seem to have got stuck (I am not a programmer/developer by any means)

Essentially I would like something similar to the traceroute / ping options under Interfaces -> Diagnostics.

But I can't find those under the opnsense/plugins git. If you want to look at my intial very poor attempt you can find it here https://github.com/rhysxevans/plugins/tree/master/security/nmap .

Any chance to get the code for the ping / traceroute "plugins" ?

Once I have the intial command one working , I can potentially look at adding checkboxes etc for the variables

Basically , I need a portscanner and os identifier (will look at extending this)

Any help is appreciated

Thansk




#3
General Discussion / Feature Request: Route Based VPN
December 31, 2017, 10:08:46 AM
Hi

Is there the possibility to support route based VPN's ? This is becoming more prevelant when connecting to specific cloud providers (ie Azure)

IE: (I haven't verified any of the links as working implementations)
https://genneko.github.io/playing-with-bsd/networking/freebsd-vti-ipsec
https://wiki.strongswan.org/projects/strongswan/wiki/RouteBasedVPN
https://vincent.bernat.im/en/blog/2017-route-based-vpn

Thoughts ?

Thanks
#4
17.1 Legacy Series / Firehol Rules
June 01, 2017, 12:29:36 AM
Hi

I am trying ot integrate the Firehol Level 1 lists into opnsense at present. I am doing this via Firewall -> Aliases -> View -> URL Table (IPs) with the URL being https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_level1.netset. On filter reload I am getting the following event logged

1496267674.0472: There were error(s) loading the rules: /tmp/rules.debug:24: cannot define table firehol_level1: Cannot allocate memory - The line in question reads [24]: table  persist file "/var/db/aliastables/firehol_level1.txt"

I have googled and come across some PFsense issues with similar messages particularly https://redmine.pfsense.org/issues/4876 (this may be of no relevance)

root@unfw01:~ # pfctl -f /tmp/rules.debug
/tmp/rules.debug:24: cannot define table firehol_level1: Cannot allocate memory
/tmp/rules.debug:26: cannot define table firehol_level2: Cannot allocate memory
/tmp/rules.debug:28: cannot define table firehol_level3: Cannot allocate memory
/tmp/rules.debug:30: cannot define table firehol_level4: Cannot allocate memory
pfctl: Syntax error in config file: pf rules not loaded

Hardware wise
Intel Celeron 3215U @ 1.70GHz (2 cores) (load at present (0.37,0.34,0.28)
8GB RAM (16% in use)
41GB disk (4% used, UFS)

Any thoughts ? Anyone able to replicate ?

Any help appreciated

Thanks
#5
17.1 Legacy Series / Malware Patrol Lists
May 25, 2017, 10:59:21 PM
Hi

Firstly thanks for the project.

I am trying to use the Malware Patrol lists in the "Remote ACLs" section of the Web Proxy service, in particular I am looking at thier Ransomware Block lists (Would like their Malicious URL feeds at some point). The issue is I am unable to get the lists into Squid. I think it has to do with the "header" on their files, is there a way to update the the "download" script to cater for this ? (I dont know where to find the script, so I may be able to tinker if I know where it is. But I am no programmer etc)

Files look along the lines of

This one is from a squidguard formated list
===
#
#        Malware Patrol - Block List - https://www.malwarepatrol.net
#
#   Please do not update this list more often then every day.
#
#   Copyright (c)  2014 - Andre Correa - Malware Patrol - Malware Block List
#   This information is provided as-is and under the Terms and Conditions
#   available in the following address:
#
#   https://www.malwarepatrol.net/terms.shtml
#
#   Using this information indicates your agreement to be bound by these
#   terms. If you do not accept them, please delete this file immediately.
#
#   You can report false positives or broken rules/signatures to:
#   fp (a t) malwarepatrol.net
#
#   Cdmk5j392k2mcldleoqi44m3k1928rma
#

aakwbrbjtqja.co.uk/
aalgiftswdyhvj.net/
aanrhfftgveq.ru/
aasyjiubathqd.info/
...
...
...
yxxebtrcenbm.info/
yynleigitdls.biz/
====

Ths is from a SQUID formated list
====
#
#        Malware Patrol - Block List - https://www.malwarepatrol.net
#   List for Squid
#   Generated at: 20170525195759 UTC
#
#   Please do not update this list more often than every hour.
#
#   Copyright (c)  2017 - Andre Correa - Malware Patrol - Malware Block List
#   This information is provided as-is and under the Terms and Conditions
#   available in the following address:
#
#   https://www.malwarepatrol.net/terms.shtml
#
#   Using this information indicates your agreement to be bound by these
#   terms. If you do not accept them, please delete this file immediately.
#
#   You can report false positives or broken rules/signatures to:
#   fp (a t) malwarepatrol.net
#
#   Kn2su6fOsZ5fnhesG2hPPMDDDX3LYM3y
#


^http\:\/\/(.+@)?(.+.)?018fe96b-a-62cb3a1a-s-sites\.googlegroups\.com
^http\:\/\/(.+@)?(.+.)?01iki0sx\.15311223344\.com
^http\:\/\/(.+@)?(.+.)?02307\.net
...
...
^http\:\/\/(.+@)?(.+.)?zzzwcbpvsn\.centade\.com
====

I have had a look at the resultant files that get created and essentially (I dont have a copy to hand), it doesn't get past the "header"

EDIT
====
Resultant File Example Below
====
root@unfw01:/usr/local/etc/squid/acl # cat squidguard
.#
.#      terms. if you do not accept them, please delete this file immediately.
.#      please do not update this list more often than every hour.
.#      available in the following address:
.#      using this information indicates your agreement to be bound by these
.#      generated at: 20170525175853 utc
.#      copyright (c)  2017 - andre correa - malware patrol - malware block list
.#      fp (a t) malwarepatrol.net
.#      this information is provided as-is and under the terms and conditions
.#      list for squidguard - urls
.#      kn2su6fosz5fnhesg2hppmdddx3lym3y
root@unfw01:/usr/local/etc/squid/acl #
====

Malware Patrol provide a working example at the following location: http://www.malware.com.br/MalwarePatrolDownload.sh

Any help/advise is appreciated

Thanks