Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - rhyse

Pages: [1]

18.7 Legacy Series / Re: Logging data length

« on: January 24, 2019, 12:00:40 am »

Ok, then there must be something wrong with my logging all I am seeing is the SEC (or S) entries.

Code: [Select]

Jan 23 22:54:38 	filterlog: 74,,,0,vmx0,match,pass,in,4,0x2,0,128,9857,0,DF,6,tcp,52,192.168.56.2,84.45.62.98,56986,443,0,SEC,44432861,,8192,,mss;nop;wscale;nop;nop;sackOK
Jan 23 22:51:01 	filterlog: 74,,,0,vmx0,match,pass,in,4,0x2,0,128,9790,0,DF,6,tcp,52,192.168.56.2,84.45.62.98,56954,443,0,SEC,1062647564,,8192,,mss;nop;wscale;nop;nop;sackOK
Jan 23 22:51:01 	filterlog: 74,,,0,vmx0,match,pass,in,4,0x2,0,128,9782,0,DF,6,tcp,52,192.168.56.2,84.45.62.98,56953,443,0,SEC,378084500,,8192,,mss;nop;wscale;nop;nop;sackOK
Jan 23 22:48:13 	filterlog: 74,,,0,vmx0,match,pass,in,4,0x2,0,128,9733,0,DF,6,tcp,52,192.168.56.2,84.45.62.98,56937,443,0,SEC,3979926657,,8192,,mss;nop;wscale;nop;nop;sackOK

for any connection, any ideas on how to fix my logging. Or am I completely not understanding something?

Your help is appreciated

Thanks

18.7 Legacy Series / Logging data length

« on: January 23, 2019, 01:55:58 pm »

Hi

I am having an issue, whereby all TCP connections are showing a data-length of 0, in the logs.

The UDP and ICMP logs seem to be returning the values, although icmp could do with dropping the string "datalength="

TCP log - I assume data size should be the field after "443" (destination port) and before the "SEC" (meant to be TCP-Flags)

Code: [Select]

filterlog: 74,,,0,vmx1,match,pass,out,4,0x2,0,127,27104,0,DF,6,tcp,52,192.168.0.22,54.225.132.4,7680,443,0,SEC,362891810,,8192,,mss;nop;wscale;nop;nop;sackOK

UDP data size last entry

Code: [Select]

filterlog: 74,,,0,vmx1,match,pass,out,4,0x0,,64,4717,0,none,17,udp,96,192.168.0.22,9.9.9.9,52596,53,76
ICMP data size last entry

Code: [Select]

filterlog: 65,,,0,vmx1,match,pass,out,4,0x0,,63,21011,0,none,1,icmp,56,192.168.105.11,192.168.105.1,datalength=36
Now I may be completely reading the logs wrong, but I just can't seem to figure it out

Any help or clarification is appreciated

Thanks
PS: I have been reviewing the log format against https://www.netgate.com/docs/pfsense/monitoring/filter-log-format-for-pfsense-2-2.html

Zenarmor (Sensei) / Re: Sensei on OPNsense - Application based filtering

« on: October 02, 2018, 10:55:41 am »

Hi

I am seeing an issue where the "Sensei Packet Engine" keeps stopping, clicking start makes it come back to life.

Enviro: VMware 6.7, 10GB RAM, 2 x vCPU's (host CPU 2 x E5-2670) , disk space 2.2 gb used out of 18Gb , Sensie deployment size Small (I have just enabled " Enable Generation of Support Data:" ), Sensei version 0.6.1-release (installed from this version)

This is a test infra, so doesn't have much traffic going through it

Any ideas ?

Thanks

Development and Code Review / Re: Seemingly Simple Plugin

« on: February 28, 2018, 11:43:00 pm »

Ok, just to keep people updated. I haven't progressed any further on this due to time constraints. Primarily work related

So a not so simple question, what is the possibility of someone picking this up ? One option would be to convert the ping / traceroute pages static pages into default "plugins" - I could then "learn" from that (please note I am not a delveloper in any shape or form) and move forward from there

Other option is anyone willing to do this at a resonable cost (be it direct or via donation to the project)

I am thinking something similar to the pfsense nmap lugins options in the gui, but it could be as simple as a dns name or ip address to input initially.

I know MasterXBKC has attempted this, but has come across some blockers. I appreciate his efforts.

Apologies if this is not the way to go via this. If it is can someone please direct me to where I should be looking (i did google opnsense coders)

Thansk

Development and Code Review / Re: Seemingly Simple Plugin

« on: February 06, 2018, 08:05:48 am »

Hi

In short yes, for now. but there is a longer term aim of getting something like openvas into the system (note I dont know how feasible that is).

But baby steps for now

Franco - I will reread that link

Thanks

Development and Code Review / Seemingly Simple Plugin

« on: February 05, 2018, 11:31:56 pm »

Hi

I am trying to create a simple plugin that takes a variable then outputs the output to the screen. I have tried bastardising teh arp-scanner plugin but seem to have got stuck (I am not a programmer/developer by any means)

Essentially I would like something similar to the traceroute / ping options under Interfaces -> Diagnostics.

But I can't find those under the opnsense/plugins git. If you want to look at my intial very poor attempt you can find it here https://github.com/rhysxevans/plugins/tree/master/security/nmap .

Any chance to get the code for the ping / traceroute "plugins" ?

Once I have the intial command one working , I can potentially look at adding checkboxes etc for the variables

Basically , I need a portscanner and os identifier (will look at extending this)

Any help is appreciated

Thansk

General Discussion / Feature Request: Route Based VPN

« on: December 31, 2017, 10:08:46 am »

Hi

Is there the possibility to support route based VPN's ? This is becoming more prevelant when connecting to specific cloud providers (ie Azure)

IE: (I haven't verified any of the links as working implementations)
https://genneko.github.io/playing-with-bsd/networking/freebsd-vti-ipsec
https://wiki.strongswan.org/projects/strongswan/wiki/RouteBasedVPN
https://vincent.bernat.im/en/blog/2017-route-based-vpn

Thoughts ?

Thanks

17.1 Legacy Series / Re: Firehol Rules

« on: June 01, 2017, 05:35:14 pm »

Up'ed the value and error has disappeared. Just need to see if there is any negative impact.

Thanks for you help

17.1 Legacy Series / Re: Can't ping firewall from LAN

« on: June 01, 2017, 09:34:54 am »

Ok, no probs, just looks like the traffic is being routed out the external interface. I had an issue similar when I restored a cofig, I think this was an issue with the remote acls not being in place (downloaded) straight after the restore. Unfortunately can't remember exactly what I did to fix it now. Have flipped between opnsense and pfsense at least 10 times this week testing things

17.1 Legacy Series / Re: Can't ping firewall from LAN

« on: June 01, 2017, 09:02:12 am »

Hi

Isn't the default lan up 192.168.1.1 ? Not 192.168.10.1

Thanks

17.1 Legacy Series / Firehol Rules

« on: June 01, 2017, 12:29:36 am »

Hi

I am trying ot integrate the Firehol Level 1 lists into opnsense at present. I am doing this via Firewall -> Aliases -> View -> URL Table (IPs) with the URL being https://raw.githubusercontent.com/firehol/blocklist-ipsets/master/firehol_level1.netset. On filter reload I am getting the following event logged

1496267674.0472: There were error(s) loading the rules: /tmp/rules.debug:24: cannot define table firehol_level1: Cannot allocate memory - The line in question reads [24]: table persist file "/var/db/aliastables/firehol_level1.txt"

I have googled and come across some PFsense issues with similar messages particularly https://redmine.pfsense.org/issues/4876 (this may be of no relevance)

root@unfw01:~ # pfctl -f /tmp/rules.debug
/tmp/rules.debug:24: cannot define table firehol_level1: Cannot allocate memory
/tmp/rules.debug:26: cannot define table firehol_level2: Cannot allocate memory
/tmp/rules.debug:28: cannot define table firehol_level3: Cannot allocate memory
/tmp/rules.debug:30: cannot define table firehol_level4: Cannot allocate memory
pfctl: Syntax error in config file: pf rules not loaded

Hardware wise
Intel Celeron 3215U @ 1.70GHz (2 cores) (load at present (0.37,0.34,0.28)
8GB RAM (16% in use)
41GB disk (4% used, UFS)

Any thoughts ? Anyone able to replicate ?

Any help appreciated

Thanks

17.1 Legacy Series / Re: Malware Patrol Lists

« on: May 31, 2017, 11:31:30 pm »

Hi

Thanks for the tip, have set them up. but does pose the question on how best to use floating rules. Need to figure that one out with multiple wans and lans.

Thanks

17.1 Legacy Series / Re: Malware Patrol Lists

« on: May 31, 2017, 01:00:27 am »

Hi

So i have found another list (differnet provider) that doesn't have a "header" to the file. That seems to be working fine.

I have also found /usr/local/opnsense/scripts/proxy/fetchACLs.py - is this the correct file to be looking at?

Traditionally from bash (previous solutions) I would just do something like "sed '/^#/ d'" to filter those lines out

Any help is appreciated

17.1 Legacy Series / Malware Patrol Lists

« on: May 25, 2017, 10:59:21 pm »

Hi

Firstly thanks for the project.

I am trying to use the Malware Patrol lists in the "Remote ACLs" section of the Web Proxy service, in particular I am looking at thier Ransomware Block lists (Would like their Malicious URL feeds at some point). The issue is I am unable to get the lists into Squid. I think it has to do with the "header" on their files, is there a way to update the the "download" script to cater for this ? (I dont know where to find the script, so I may be able to tinker if I know where it is. But I am no programmer etc)

Files look along the lines of

This one is from a squidguard formated list
===
#
# Malware Patrol - Block List - https://www.malwarepatrol.net
#
#   Please do not update this list more often then every day.
#
#   Copyright (c) 2014 - Andre Correa - Malware Patrol - Malware Block List
#   This information is provided as-is and under the Terms and Conditions
#   available in the following address:
#
#   https://www.malwarepatrol.net/terms.shtml
#
#   Using this information indicates your agreement to be bound by these
#   terms. If you do not accept them, please delete this file immediately.
#
#   You can report false positives or broken rules/signatures to:
#   fp (a t) malwarepatrol.net
#
#   Cdmk5j392k2mcldleoqi44m3k1928rma
#

aakwbrbjtqja.co.uk/
aalgiftswdyhvj.net/
aanrhfftgveq.ru/
aasyjiubathqd.info/
...
...
...
yxxebtrcenbm.info/
yynleigitdls.biz/
====

Ths is from a SQUID formated list
====
#
# Malware Patrol - Block List - https://www.malwarepatrol.net
#   List for Squid
#   Generated at: 20170525195759 UTC
#
#   Please do not update this list more often than every hour.
#
#   Copyright (c) 2017 - Andre Correa - Malware Patrol - Malware Block List
#   This information is provided as-is and under the Terms and Conditions
#   available in the following address:
#
#   https://www.malwarepatrol.net/terms.shtml
#
#   Using this information indicates your agreement to be bound by these
#   terms. If you do not accept them, please delete this file immediately.
#
#   You can report false positives or broken rules/signatures to:
#   fp (a t) malwarepatrol.net
#
#   Kn2su6fOsZ5fnhesG2hPPMDDDX3LYM3y
#

^http\:\/\/(.+@)?(.+.)?018fe96b-a-62cb3a1a-s-sites\.googlegroups\.com
^http\:\/\/(.+@)?(.+.)?01iki0sx\.15311223344\.com
^http\:\/\/(.+@)?(.+.)?02307\.net
...
...
^http\:\/\/(.+@)?(.+.)?zzzwcbpvsn\.centade\.com
====

I have had a look at the resultant files that get created and essentially (I dont have a copy to hand), it doesn't get past the "header"

EDIT
====
Resultant File Example Below
====
root@unfw01:/usr/local/etc/squid/acl # cat squidguard
.#
.# terms. if you do not accept them, please delete this file immediately.
.# please do not update this list more often than every hour.
.# available in the following address:
.# using this information indicates your agreement to be bound by these
.# generated at: 20170525175853 utc
.# copyright (c) 2017 - andre correa - malware patrol - malware block list
.# fp (a t) malwarepatrol.net
.# this information is provided as-is and under the terms and conditions
.# list for squidguard - urls
.# kn2su6fosz5fnhesg2hppmdddx3lym3y
root@unfw01:/usr/local/etc/squid/acl #
====

Malware Patrol provide a working example at the following location: http://www.malware.com.br/MalwarePatrolDownload.sh

Any help/advise is appreciated

Thanks

Pages: [1]