Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Topics - rhyse

Pages: [1]

18.7 Legacy Series / Logging data length

« on: January 23, 2019, 01:55:58 pm »

Hi

I am having an issue, whereby all TCP connections are showing a data-length of 0, in the logs.

The UDP and ICMP logs seem to be returning the values, although icmp could do with dropping the string "datalength="

TCP log - I assume data size should be the field after "443" (destination port) and before the "SEC" (meant to be TCP-Flags)

Code: [Select]

filterlog: 74,,,0,vmx1,match,pass,out,4,0x2,0,127,27104,0,DF,6,tcp,52,192.168.0.22,54.225.132.4,7680,443,0,SEC,362891810,,8192,,mss;nop;wscale;nop;nop;sackOK

UDP data size last entry

Code: [Select]

filterlog: 74,,,0,vmx1,match,pass,out,4,0x0,,64,4717,0,none,17,udp,96,192.168.0.22,9.9.9.9,52596,53,76
ICMP data size last entry

Code: [Select]

filterlog: 65,,,0,vmx1,match,pass,out,4,0x0,,63,21011,0,none,1,icmp,56,192.168.105.11,192.168.105.1,datalength=36
Now I may be completely reading the logs wrong, but I just can't seem to figure it out

Any help or clarification is appreciated

Thanks
PS: I have been reviewing the log format against https://www.netgate.com/docs/pfsense/monitoring/filter-log-format-for-pfsense-2-2.html

Development and Code Review / Seemingly Simple Plugin

« on: February 05, 2018, 11:31:56 pm »

Hi

I am trying to create a simple plugin that takes a variable then outputs the output to the screen. I have tried bastardising teh arp-scanner plugin but seem to have got stuck (I am not a programmer/developer by any means)

Essentially I would like something similar to the traceroute / ping options under Interfaces -> Diagnostics.

But I can't find those under the opnsense/plugins git. If you want to look at my intial very poor attempt you can find it here https://github.com/rhysxevans/plugins/tree/master/security/nmap .

Any chance to get the code for the ping / traceroute "plugins" ?

Once I have the intial command one working , I can potentially look at adding checkboxes etc for the variables

Basically , I need a portscanner and os identifier (will look at extending this)

Any help is appreciated

Thansk

General Discussion / Feature Request: Route Based VPN

« on: December 31, 2017, 10:08:46 am »

Hi

Is there the possibility to support route based VPN's ? This is becoming more prevelant when connecting to specific cloud providers (ie Azure)

IE: (I haven't verified any of the links as working implementations)
https://genneko.github.io/playing-with-bsd/networking/freebsd-vti-ipsec
https://wiki.strongswan.org/projects/strongswan/wiki/RouteBasedVPN
https://vincent.bernat.im/en/blog/2017-route-based-vpn

Thoughts ?

Thanks

17.1 Legacy Series / Firehol Rules

« on: June 01, 2017, 12:29:36 am »

Hi

I am trying ot integrate the Firehol Level 1 lists into opnsense at present. I am doing this via Firewall -> Aliases -> View -> URL Table (IPs) with the URL being https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_level1.netset. On filter reload I am getting the following event logged

1496267674.0472: There were error(s) loading the rules: /tmp/rules.debug:24: cannot define table firehol_level1: Cannot allocate memory - The line in question reads [24]: table persist file "/var/db/aliastables/firehol_level1.txt"

I have googled and come across some PFsense issues with similar messages particularly https://redmine.pfsense.org/issues/4876 (this may be of no relevance)

root@unfw01:~ # pfctl -f /tmp/rules.debug
/tmp/rules.debug:24: cannot define table firehol_level1: Cannot allocate memory
/tmp/rules.debug:26: cannot define table firehol_level2: Cannot allocate memory
/tmp/rules.debug:28: cannot define table firehol_level3: Cannot allocate memory
/tmp/rules.debug:30: cannot define table firehol_level4: Cannot allocate memory
pfctl: Syntax error in config file: pf rules not loaded

Hardware wise
Intel Celeron 3215U @ 1.70GHz (2 cores) (load at present (0.37,0.34,0.28)
8GB RAM (16% in use)
41GB disk (4% used, UFS)

Any thoughts ? Anyone able to replicate ?

Any help appreciated

Thanks

17.1 Legacy Series / Malware Patrol Lists

« on: May 25, 2017, 10:59:21 pm »

Hi

Firstly thanks for the project.

I am trying to use the Malware Patrol lists in the "Remote ACLs" section of the Web Proxy service, in particular I am looking at thier Ransomware Block lists (Would like their Malicious URL feeds at some point). The issue is I am unable to get the lists into Squid. I think it has to do with the "header" on their files, is there a way to update the the "download" script to cater for this ? (I dont know where to find the script, so I may be able to tinker if I know where it is. But I am no programmer etc)

Files look along the lines of

This one is from a squidguard formated list
===
#
# Malware Patrol - Block List - https://www.malwarepatrol.net
#
#   Please do not update this list more often then every day.
#
#   Copyright (c) 2014 - Andre Correa - Malware Patrol - Malware Block List
#   This information is provided as-is and under the Terms and Conditions
#   available in the following address:
#
#   https://www.malwarepatrol.net/terms.shtml
#
#   Using this information indicates your agreement to be bound by these
#   terms. If you do not accept them, please delete this file immediately.
#
#   You can report false positives or broken rules/signatures to:
#   fp (a t) malwarepatrol.net
#
#   Cdmk5j392k2mcldleoqi44m3k1928rma
#

aakwbrbjtqja.co.uk/
aalgiftswdyhvj.net/
aanrhfftgveq.ru/
aasyjiubathqd.info/
...
...
...
yxxebtrcenbm.info/
yynleigitdls.biz/
====

Ths is from a SQUID formated list
====
#
# Malware Patrol - Block List - https://www.malwarepatrol.net
#   List for Squid
#   Generated at: 20170525195759 UTC
#
#   Please do not update this list more often than every hour.
#
#   Copyright (c) 2017 - Andre Correa - Malware Patrol - Malware Block List
#   This information is provided as-is and under the Terms and Conditions
#   available in the following address:
#
#   https://www.malwarepatrol.net/terms.shtml
#
#   Using this information indicates your agreement to be bound by these
#   terms. If you do not accept them, please delete this file immediately.
#
#   You can report false positives or broken rules/signatures to:
#   fp (a t) malwarepatrol.net
#
#   Kn2su6fOsZ5fnhesG2hPPMDDDX3LYM3y
#

^http\:\/\/(.+@)?(.+.)?018fe96b-a-62cb3a1a-s-sites\.googlegroups\.com
^http\:\/\/(.+@)?(.+.)?01iki0sx\.15311223344\.com
^http\:\/\/(.+@)?(.+.)?02307\.net
...
...
^http\:\/\/(.+@)?(.+.)?zzzwcbpvsn\.centade\.com
====

I have had a look at the resultant files that get created and essentially (I dont have a copy to hand), it doesn't get past the "header"

EDIT
====
Resultant File Example Below
====
root@unfw01:/usr/local/etc/squid/acl # cat squidguard
.#
.# terms. if you do not accept them, please delete this file immediately.
.# please do not update this list more often than every hour.
.# available in the following address:
.# using this information indicates your agreement to be bound by these
.# generated at: 20170525175853 utc
.# copyright (c) 2017 - andre correa - malware patrol - malware block list
.# fp (a t) malwarepatrol.net
.# this information is provided as-is and under the terms and conditions
.# list for squidguard - urls
.# kn2su6fosz5fnhesg2hppmdddx3lym3y
root@unfw01:/usr/local/etc/squid/acl #
====

Malware Patrol provide a working example at the following location: http://www.malware.com.br/MalwarePatrolDownload.sh

Any help/advise is appreciated

Thanks

Pages: [1]