Blacklist Filter update script

chippers · Mon Jan 30, 2017 10:20 pm

Yes, I have that but doesnt seem to work

i'll try to troubleshoot, thanks

/system scheduler
add interval=1d name=updateBlacklist on-event="/system script run updateBlacklist" policy=read,write,test start-time=startup
add interval=1d name=UpdateBlackList on-event="/system script run updateBlacklist" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive start-date=jan/01/1970 start-time=05:00:00

msatter · Mon Jan 30, 2017 11:03 pm

This works and you have to be patient because the script waits for 3+30 seconds giving the interfaces time to start completely because you need access to the internet.

add name="Startup updateBlacklist" on-event="/system script run updateBlacklist" policy=ftp,reboot,read,write,policy,test start-time=startup

chippers · Tue Jan 31, 2017 2:30 pm

ok, turns out I wasnt being impatient

I copied the schedules from the start of this thread and there are a couple of issues.
1. The schedule names are the same and this causes the import of the second schedule to fail, solution is to rename the second schedule
2. The run command differed in both schedules (run updateBlacklist) VS (run blacklistUpdate)

Here is what I ended up with and works as expected. List reloads about 30 seconds after reboot.

/system scheduler
add interval=1d name=UpdateBlackListDaily on-event="/system script run updateBlacklist" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive start-date=jan/01/1970 start-time=05:00:00
add name=UpdateBlackListOnReboot on-event="/system script run updateBlacklist" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive start-time=startup

Adding these simple rules as mentioned elsewhere in this thread and the IP list is working great!

/ip firewall raw
add action=drop chain=prerouting comment=\
    "Drop connections from Blacklisted addresses" src-address-list=\
    dynamicBlacklist
add action=drop chain=prerouting comment=\
    "Drop connections to Blacklisted addresses" dst-address-list=\
    dynamicBlacklist

Thanks for a great contribution...

msatter · Tue Jan 31, 2017 3:44 pm

2. The run command differed in both schedules (run updateBlacklist) VS (run blacklistUpdate)

Here is what I ended up with and works as expected. List reloads about 30 seconds after reboot.
Code: Select all
/system scheduler
add interval=1d name=UpdateBlackListDaily on-event="/system script run updateBlacklist" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive start-date=jan/01/1970 start-time=05:00:00
add name=UpdateBlackListOnReboot on-event="/system script run updateBlacklist" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive start-time=startup

Are you sure because I see twice the same script run command.

I will check if the script can't be started in sequence. I remember that this was not a problem but you never know.

Update: I have now checked it and the list was updated automatically this afternoon. I have different names for the script and I think you also wanted you communicatited.

It works really great now and maybe a default "startup" can be added to the installation script.

I have good results and in the log I see hits on the blacklist every day.

mhyll · Wed Feb 01, 2017 4:09 pm

If you want, you can use my blacklists. Blacklists updated every hour.

TOR Exit Nodes
OpenBL
SpamHaus DROP list
DShield
malc0de

RSC will create address-list named "Blacklist", IP's will be commented. Duplicate IP's will be skipped, if exists.

And of course, don't forget to schedule it and make corresponding filter rules.

Script:

# Script will now download IP blacklists
/tool fetch url="http://www.securelan.eu/mikrotik/torexitnodes.rsc" mode=http;
:log info "Downloaded torexitnodes.rsc from SecureLAN.eu";
/tool fetch url="http://www.securelan.eu/mikrotik/openbl.rsc" mode=http;
:log info "Downloaded openbl.rsc from SecureLAN.eu";
/tool fetch url="http://www.securelan.eu/mikrotik/spamhaus.rsc" mode=http;
:log info "Downloaded spamhaus.rsc from SecureLAN.eu";
/tool fetch url="http://www.securelan.eu/mikrotik/dshield.rsc" mode=http;
:log info "Downloaded dshield.rsc from SecureLAN.eu";
/tool fetch url="http://www.securelan.eu/mikrotik/malc0de.rsc" mode=http;
:log info "Downloaded malc0de.rsc from SecureLAN.eu";
# Script will now replace old blacklists with the new ones
/ip firewall address-list remove [find where comment="TorExitNodes"]
/import file-name=torexitnodes.rsc;
:log info "TorExitNodes records updated successfully.";
/ip firewall address-list remove [find where comment="DShield"]
/import file-name=dshield.rsc;
:log info "DShield records updated successfully.";
/ip firewall address-list remove [find where comment="SpamHaus"]
/import file-name=spamhaus.rsc;
:log info "SpamHaus records updated successfully.";
/ip firewall address-list remove [find where comment="OpenBL"]
/import file-name=openbl.rsc;
:log info "OpenBL records updated successfully.";
/ip firewall address-list remove [find where comment="malc0de"]
/import file-name=malc0de.rsc;
:log info "Malc0de records updated successfully.";
:log info "All blacklist records were updated successfully.";

mhyll · Wed Feb 01, 2017 10:03 pm

I've gone ahead and started publishing my dynamic filter list for RouterOS 6.x. My server generates the list each night after collecting data on all known botnets, C&C server, and spammers. Currently the list runs about 3k entries, so it may not work well on low end routers. Here is the script to update the list, as well as my personal firewall rules. As always, adjust them to fit your needs.

Does your list contain also TOR network exit nodes? If not, you can probably add it.

IntrusDave · Wed Feb 01, 2017 10:22 pm

No it doesn't. That is not something that I am interested in blocking. I am a big privacy advocate and I don't want to take away that option

mhyll · Wed Feb 01, 2017 10:31 pm

Yeah, but privacy is not always secure.... in Tor there is lot of ransomware servers hidden. No connection to TOR, no encrypted disk.

IntrusDave · Thu Feb 02, 2017 12:36 am

If a user is using TOR, then they are on their own for security. At this time I have no interest in blocking TOR.

mhyll · Thu Feb 02, 2017 12:59 am

yeah...that's true...but..

for me, in enterprise environment, tor should not be allowed.

IntrusDave · Thu Feb 02, 2017 1:05 am

Then you should filter it. However, nearly impossible to track the ever changing exit nodes, and impossible to detect.

mhyll · Thu Feb 02, 2017 1:07 am

That's why I am generating TOR exit nodes list every hour.

Check my post earlier.

Could you compare my lists with yours? Probably there's something to make better...on both.

IntrusDave · Mon Feb 06, 2017 8:21 pm

Sorry, not going to block TOR nodes. I am an active donor to the TOR project. It would be hypocritical of me to block it. But thank you for the input.

IntrusDave · Sat Feb 11, 2017 12:08 am

I wanted to give a status update on my blacklist.

As of this morning, the Blacklist has 3,500 routers downloading the list everyday. They are pulling 1.7GB of data every 24 hours. Just about 52GB per month. I have moved the handling of the blacklist to a dedicated server. I currently use 4 high-profile blacklist services, in addition to the 215 honeypots that I collect data from all over the USA.

I have watching the FCC rulings very closely, and I will not hesitate to move the servers outside of the USA if I feel the list is at risk. I am currently looking into ways of having RouterOS check a SHA256sum to verify the validity of the list.

Again, this list was started for my own use on the MikroTik routers that I manage. I do not charge for this list, and I have never asked for donations. That said, I have always been open to suggestions to make it better, but please remember that my primary concern is the safety of the medical groups and hospitals that I manage.

msatter · Sat Feb 11, 2017 3:37 pm

I have an idea how to bring back the traffic generated by the Blacklist.

When I lookup sites I get sometimes a list of IP addresses back:

Name: microsoft.com
Addresses: 23.100.122.175
23.96.52.53
191.239.213.197
104.40.211.35
104.43.195.251

So if you can convert the list and put it in a DNS, then one record/domain name will supply all IP addresses in one go.

You could to make weekday's list like monday.blacklist.xxx / tuesday.blacklist.xxx....sunday.blacklist.xxx
Give the DNS-record a lifetime of 24+1 hour and remove the that day when it is the next day is generated and is uploaded. In this way the your are sure that the cache DNS servers up the stream are cleaned to read in that weekday.blacklist.xxx when there is an request for it in the Internet.

When a weekday*7.backlist.xxx is in the cache of the DNS in the Mikrotik, you only need one line in the address list to be able to filter. I think that a script is useful to make a hard delete of the outdated weekday to make room for the new weekday list.

The DNS of the provider/supplier which the Mikrotik owner is using is handling the traffic now. You have each day a one time upload and the the DNS structure is distributing your list for you. Delays are common and because the used weekday was not present for the last 5 days so there should be direct request to the DNS.

This way of working I already use myself and I put the extra IP addresses in the host file on the machine where my DMSmasq is running. DNSmasq reads the host file and returns the list of IP addresses when the domainname is requested. In doing so I have only need one line to be able to filter more addresses in one go.

I don't know if this is possible or even legal to use the DNS in that way.....

updated: 12 February 2017

IntrusDave · Mon Mar 06, 2017 6:16 pm

Just hit 4000 active routers using the BlackList.
Notable users are T-Mobile, using it on there Fixed LTE deployments. And even more so, several US Government sites have begun pulling the list.

msatter · Tue Mar 07, 2017 12:45 pm

Just hit 4000 active routers using the BlackList.
Notable users are T-Mobile, using it on there Fixed LTE deployments. And even more so, several US Government sites have begun pulling the list.

Good to see the grow from 2700 to 4000 clients in the last seven months.
I made a suggestion to use DNS to distribute the list and now I read again the start page of this posting and BGP also seems a solution.
The blacklist get many hits on my connection and I am pleased that those connections tries are terminated!

IntrusDave · Tue Mar 07, 2017 6:45 pm

DNS and BGP both complicate things dramatically. The current distribution method is very simple, stable and requires very little to setup.

majestic · Tue Mar 07, 2017 8:47 pm

I have an idea how to bring back the traffic generated by the Blacklist.

When I lookup sites I get sometimes a list of IP addresses back:

Name: microsoft.com
Addresses: 23.100.122.175
23.96.52.53
191.239.213.197
104.40.211.35
104.43.195.251
So if you can convert the list and put it in a DNS, then one record/domain name will supply all IP addresses in one go.

You could to make weekday's list like monday.blacklist.xxx / tuesday.blacklist.xxx....sunday.blacklist.xxx
Give the DNS-record a lifetime of 24+1 hour and remove the that day when it is the next day is generated and is uploaded. In this way the your are sure that the cache DNS servers up the stream are cleaned to read in that weekday.blacklist.xxx when there is an request for it in the Internet.

When a weekday*7.backlist.xxx is in the cache of the DNS in the Mikrotik, you only need one line in the address list to be able to filter. I think that a script is useful to make a hard delete of the outdated weekday to make room for the new weekday list.

The DNS of the provider/supplier which the Mikrotik owner is using is handling the traffic now. You have each day a one time upload and the the DNS structure is distributing your list for you. Delays are common and because the used weekday was not present for the last 5 days so there should be direct request to the DNS.

This way of working I already use myself and I put the extra IP addresses in the host file on the machine where my DMSmasq is running. DNSmasq reads the host file and returns the list of IP addresses when the domainname is requested. In doing so I have only need one line to be able to filter more addresses in one go.

I don't know if this is possible or even legal to use the DNS in that way.....

updated: 12 February 2017

If you insist in doing it via DNS then look into rbldnsd which is designed for exactly this purpose. You can feed it a list of IP's/hostnames and it can respond with whatever you want. RBL's used for mail etc commonly uses this method for their black/white or rep lists.

You can do more then just this, for example this guy here http://countries.nerd.dk/more.html uses it to make a countries lookup via dns which can then be used for things like mail/web etc black/white lists etc.

Anyway, personally, the way the list is right now is best as it can easily be adapted to whatever method/way you like.

Just my two cents.

msatter · Wed Mar 08, 2017 1:47 am

Using RBL's crossed my mind but then the amount of traffiic would be the same like it is with BGP.

When using DNS you will also have some traffic but the main part is distributed by external DNS severs as I see it.

majestic · Wed Mar 08, 2017 1:54 am

Using RBL's crossed my mind but then the amount of traffiic would be the same like it is with BGP.

When using DNS you will also have some traffic but the main part is distributed by external DNS severs as I see it.

Distributed & cached which the cache will lower the amount of traffic needed.

However whether DNS is less then BGP traffic wise taking into effect of caching etc, i'm not sure. I think if there was enough devices pulling the data, BGP probably total up to more but thats an educated guess more then fact.

Deantwo · Thu Mar 09, 2017 2:35 pm

Looks like a very interesting system you got here.
I know it has been running fine for soon 2 years I guess, but I do have a few small suggestions for your update script.

You should escape the "?" in the URL ("\?")
Add brackets around the script ("{ }")
Add a ":put" with the script version for debugging (":put "Script version: $scriptVer"")

These changes would make you able to run the script in the terminal. Or did you intentionally write it so that it didn't work in the terminal?
Example:

# Import Intrus Managed Filter Lists
# (C)2016 David Joyce, Intrus Technologies
{
    :log warning "Blacklist download will start in 30 seconds..."
    :delay 30
    
    :local model    [/system resource get board-name]
    :local version   [/system resource get version]
    :local memory   [/system resource get total-memory]
    :local uname   [/system identity get name]
    :local scriptVer   "2016.7.4a (Deantwo)"
    :put "Script version: $scriptVer"
    
    :log warning "Downloading current Blacklist for this model"
    /tool fetch mode=https dst-path="/dynamic.rsc" \
       url="https://mikrotikfilters.com/download.php\?get=dynamic&model=$model&version=$version&memory=$memory&id=$uname&ver=$scriptVer"
    
    :log warning "Disabling info logging..."
    /system logging disable 0
    
    :log warning "Removing expiring address-list entries..."
    /ip firewall address-list remove [find list="dynamicBlacklist"]
    
    :log warning "Importing current Blacklist..."
    /import file-name=/dynamic.rsc
    
    :log warning "Removing temp file..."
    /file remove dynamic.rsc
    
    :log warning "Blacklist Update Complete."
    /system logging enable 0
}

When testing it I also found that the address-list entry timeout don't quite match up with what you say in the opening post.
It states that the address-list entries are dynamic with a 48 hour timeout, but the file I am getting shows them having a 24 hour timeout. Shouldn't this at least be 25 hours to patch the possible hole between updates, or be changed back to 48 hours?

By the way, what is the reason for wanting the router's identity? Wouldn't it be more reliable to just use the serial number?
Your script doesn't require the identity to be sent, right? I can omit it?

msatter · Thu Mar 09, 2017 3:36 pm

When testing it I also found that the address-list entry timeout don't quite match up with what you say in the opening post.
It states that the address-list entries are dynamic with a 48 hour timeout, but the file I am getting shows them having a 24 hour timeout. Shouldn't this at least be 25 hours to patch the possible hole between updates, or be changed back to 48 hours?

Quotes from IntrusDave

My server collects the banned IP's 24/7 and publish the list at 3am PST.

That means that the ip/ subnet is or has been serving malware for at least 12 hours. The list is automated and will remove the address once it has been clean for 24 hours.
I will not manually remove addresses.

Deantwo · Thu Mar 09, 2017 4:33 pm

When testing it I also found that the address-list entry timeout don't quite match up with what you say in the opening post.
It states that the address-list entries are dynamic with a 48 hour timeout, but the file I am getting shows them having a 24 hour timeout. Shouldn't this at least be 25 hours to patch the possible hole between updates, or be changed back to 48 hours?
Quotes from IntrusDave
My server collects the banned IP's 24/7 and publish the list at 3am PST.

That means that the ip/ subnet is or has been serving malware for at least 12 hours. The list is automated and will remove the address once it has been clean for 24 hours.
I will not manually remove addresses.

Doesn't explain why the timeout of the dynamic address-list entries is only 24 hours when it is stated in the opening post that the timeout is 48 hours.
From the opening post:

The address-list entries are now Dynamic with a 48 hour timeout. This will cut the number of writes to NAND down dramatically.

If nothing else the opening post just needs to be updated.

There is a small chance that the dynamic address-list manages to timeout before the new dynamic address-list is downloaded and applied. This could leave the system vulnerable for at least a couple of seconds each day when the update script is running. It could easily be fixed by extending the timeout by an hour or less. But maybe I am just overreacting at that.

IntrusDave · Thu Mar 09, 2017 4:34 pm

At one point the list was updated every 48 hours, but as malware has spread faster and responses are faster, the list now expires after 24 hours. Maybe upping that to 26 hours will help some. My routers update themselves every 23 hours. The script does run from the terminal as a whole...

/system script run UpdateBlacklist

It's not meant to be run line by line.
I use the identity to group the routers for stats and troubleshooting. Example; all of my routers ID's start with "Intrus :: " this allows me to sort them and quickly track down problems. While it's not currently required, it really is the only method that I have to keep track of how many routers are active daily. I do not use the serial number because I feel that is too invasive to request. I can not go by IP, because many are behind the same proxies. I could use the WAN MAC address, but I was betting that some would object to that too.

Deantwo · Thu Mar 09, 2017 4:45 pm

I use the identity to group the routers for stats and troubleshooting. Example; all of my routers ID's start with "Intrus :: " this allows me to sort them and quickly track down problems. While it's not currently required, it really is the only method that I have to keep track of how many routers are active daily. I do not use the serial number because I feel that is too invasive to request. I can not go by IP, because many are behind the same proxies. I could use the WAN MAC address, but I was betting that some would object to that too.

I was mostly asking because we have customer numbers and names as router identity, so I may be forced to not send you those if we start using your service.

On another note. The second scheduler in the opening post, isn't it meant to be on startup?
I use my startup scheduler scripts like this:

/system scheduler
add name="MyScheduler1" \
    start-time=startup \
    policy=read,write,test \
    on-event=":delay 120\r\
    \n/system script run \"MyScript1\""

Don't know if "start-date=jan/01/1970 start-time=00:00:0 interval=00:00:00" translate to "start-time=startup" somehow.

IntrusDave · Thu Mar 09, 2017 4:56 pm

Updated the first post and the timeout to 25 hours.

The identity is never seen by anyone but me. I do have DOD clearance, so nothing to worry about.. Well, I guess that doesn't mean much now days. You are welcome to set a static name for each router in the script. The database is stored on a separate server, with no direct internet connection. As for the schedule, you will have to play with it. It was originally setup back when the routers didn't store the date and time over a reboot, so on first boot the date and time was "1970-01-01 00:00:00". RouterOS seems to have some issues with startup scripts, and I haven't had time to work out what needs to be changed.

Deantwo · Thu Mar 09, 2017 5:13 pm

As for the schedule, you will have to play with it. It was originally setup back when the routers didn't store the date and time over a reboot, so on first boot the date and time was "1970-01-01 00:00:00". RouterOS seems to have some issues with startup scripts, and I haven't had time to work out what needs to be changed.

Not 100% sure rather or not to add the "start-date=jan/01/1970" to the scheduler, since I haven't messed with them for a while. But the scheduler I posted does work, and I use a two minute delay before calling my scripts because I need to be sure that VPN tunnels are up.

cashwu · Thu Mar 09, 2017 7:47 pm

RouterOS seems to have some issues with startup scripts, and I haven't had time to work out what needs to be changed.

Problem why scheduler cannot execute script is because script as more permissions than scheduler.

IntrusDave · Thu Mar 09, 2017 7:53 pm

The startup is not a permissions issue. It has to do with the interval. When the interval is 24 hours, the first run doesn't occur until 24 hours after the boot.

Deantwo · Tue Mar 14, 2017 10:14 am

And, if you are interested, here are my filter rules:
Code: Select all
/ip firewall address-list
add address=172.16.0.0/16 list=PrivateIPs
add address=10.0.0.0/8 list=PrivateIPs
add address=192.168.0.0/16 list=PrivateIPs

Found a little error in your provided example firewall.

Incorrect netmask for the 172 private range, it should be /12.
Like this:

/ip firewall address-list
add address=10.0.0.0/8 list=PrivateIPs
add address=172.16.0.0/12 list=PrivateIPs
add address=192.168.0.0/16 list=PrivateIPs

See: https://en.wikipedia.org/wiki/Private_network

IntrusDave · Wed Mar 15, 2017 9:34 pm

You are correct. I will fix this.

Deantwo · Tue Mar 21, 2017 9:44 am

Something seems to have gone wrong.
I am receiving incomplete "dynamic.rsc" files, ending in the middle of an address-list entry add command.

Example:

# Generated on Mon Mar 20 04:00:54 PDT 2017 by Intrus Technologies
/ip firewall address-list

add list=dynamicBlacklist address=1.10.16.0/20 timeout="1d 01:00:00" comment=Blacklisted
# Omited 5226 lines.
add list=dynamicBlacklist address=42.62.51.27 timeout="1d 01:00:00" comment=Blacklisted
add list=dynamicBlacklist address=42.83.80.0/22 timeout="1d 01

Log shows that it is not always the same places that these files fail, for example:

mar/21 05:21:57 script,error script error: failure: already have such entry
mar/20 05:21:44 script,error script error: expected end of command (line 5586 column 70)
mar/19 05:21:56 script,error script error: expected end of command (line 5770 column 27)
mar/17 05:22:08 script,error script error: value of address expects range of ip addresses
mar/16 05:22:09 script,error script error: invalid time value for argument timeout

There is however a patten to how they fail.
For example the "already have such entry" error seems to be because it has created a non-dynamic address-list entry with the address 0.0.0.0 on the list "dynamicBlacklis", but the error indicate that it has done it more than once the exact same way.

My guess is that you are assuming the length of each line? But the length of the lines has changed. Maybe because it was changed from "timeout=1d" to "timeout="1d 01:00:00"" on each line, adding a total of 11 characters per line.

If you need to make the lines shorter, you could remove the comment, since it is kind of redundenet when you have the list name. Don't know if anyone rely on the comment though.

An annoying consequence of all this is that, if the import fails, info logging is never re-enabled.
/system logging enable 0

IntrusDave · Tue Mar 21, 2017 4:57 pm

You issue is that the router simply didn't complete the download. Today's download is 603k. If it's getting out off, you may want to see if your ISP is trying to proxy ssl connections.

sri2007 · Tue Mar 21, 2017 7:32 pm

Hi! I'm trying to put this rules in a CCR1072, this router has direct connection to the internet without any restriction, but when i tried to fetch the first file got this message:

/tool fetch url="https://mikrotikfilters.com/updateBlacklist.rsc" mode=https
status: failed

failure: connection timeout

It seems to be connecting, but before a few minutes it stops everything, i tried to dowload this file via browser and it works, but when i run the script in the CCR1072 i got the same error. Do you have any suggestion to fix this issue?

IntrusDave · Wed Mar 22, 2017 6:44 am

Unfortunately, I don't know how to help you with this. I don't see any errors in my server logs. I can only assume that you are getting ssl errors. You should be able to manually install the scripts from the first post.

Deantwo · Wed Mar 22, 2017 10:46 am

You issue is that the router simply didn't complete the download. Today's download is 603k. If it's getting out off, you may want to see if your ISP is trying to proxy ssl connections.

Ok yeah, maybe I was a little hasty to my conclusion.
I am able to download the file just fine from the company network, but this one customer router seems to have the issue.

[deantwo@router] > /tool fetch mode=https dst-path="/dynamic.rsc" url="https://mikrotikfilters.com/download.php\?get=dynamic&model=RB493&version=6.35 (stable)&memory=67108864&id=A-----:############&ver=2016.7.4a (Deantwo)"
      status: finished
  downloaded: 496KiB
       total: 603KiB
    duration: 3s

[deantwo@router] > /tool fetch mode=https dst-path="/dynamic.rsc" url="https://mikrotikfilters.com/download.php\?get=dynamic&model=RB493&version=6.35 (stable)&memory=67108864&id=A-----:############&ver=2016.7.4a (Deantwo)"
      status: finished
  downloaded: 336KiB
       total: 603KiB
    duration: 2s

[deantwo@router] > /tool fetch mode=https dst-path="/dynamic.rsc" url="https://mikrotikfilters.com/download.php\?get=dynamic&model=RB493&version=6.35 (stable)&memory=67108864&id=A-----:############&ver=2016.7.4a (Deantwo)"
      status: finished
  downloaded: 510KiB
       total: 603KiB
    duration: 2s

[deantwo@router] > /tool fetch mode=https dst-path="/dynamic.rsc" url="https://mikrotikfilters.com/download.php\?get=dynamic&model=RB493&version=6.35 (stable)&memory=67108864&id=A-----:############&ver=2016.7.4a (Deantwo)"
      status: finished
  downloaded: 460KiB
       total: 603KiB
    duration: 3s

Looks like it isn't downloading the full file, and MikroTik does nothing to check this it seems.

IntrusDave · Wed Mar 22, 2017 3:26 pm

I don't even know where to start with that. Maybe MTU? running pppoe? ssl proxy? wrong MTU? anything different about this router over others?

blackzero · Thu Mar 23, 2017 11:46 am

Your two schedulers don't seem to work as the name for either is conflicting each others. Renaming it will work. Maybe you need to mention this in your first post.

Thanks for the good work.

IntrusDave · Fri Mar 24, 2017 2:20 am

Schedules are allowed to have the same name.

--

The server side was updated today. I was forced to make the server require the identity. The public IP and Identity are used for accounting so I can track the bandwidth and number of requires. I understand that some will object to this, and I will provide a full refund to those. (ha ha..)

The list hit 4500 active users this afternoon.

Anyone have thoughts on using the WAN MAC address instead of the identity?

msatter · Fri Mar 24, 2017 10:29 am

Indeed the identity name is very common and besides the MAC also the ID in the VPN nanme in the quickset screen which is quite unique.

f7c4250638xxxxxx.sn.mynetname.net which contains the serial of the box reversed.

IntrusDave · Thu Mar 30, 2017 8:50 pm

Some interesting stats...

+-----+--------------------+
| QTY | model              |
+-----+--------------------+
| 721 | RB951G-2HnD        |
| 548 | RB2011UiAS-2HnD    |
| 374 | RB2011UiAS         |
| 309 | hAP+ac             |
| 298 | RB951Ui-2HnD       |
| 182 | RB751G-2HnD        |
| 178 | CCR1016-12G        |
| 174 | SXT+Lite5          |
| 166 | CCR1009-8G-1S-1S+  |
| 159 | RB3011UiAS         |
| 148 | hAP+lite           |
| 114 | RB850Gx2           |
| 112 | RB450G             |
| 102 | RB750GL            |
|  94 | RB750              |
|  82 | hEX                |
|  81 | CCR1036-12G-4S     |
|  78 | RB1100AHx2         |
|  68 | hAP+ac+lite        |
|  65 | RB2011UAS          |
|  64 | SXT+LTE            |
|  54 | CRS109-8G-1S-2HnD  |
|  53 | CHR                |
|  52 | x86                |
|  47 | RB493G             |
|  45 | hEX+lite           |
|  40 | mAP                |
|  40 | hAP                |
|  30 | CCR1009-8G-1S      |
|  30 | RB912UAG-2HPnD     |
|  28 | RB912UAG-5HPnD     |
|  25 | RB+Groove+5Hn      |
|  22 | mAP+lite           |
|  21 | CCR1036-8G-2S+     |
|  20 | CRS125-24G-1S      |
|  18 | RB2011UAS-2HnD     |
|  17 | RB751U-2HnD        |
|  16 | RB2011L            |
|  15 | RB2011iL           |
|  12 | RB750UP            |
|   8 | CCR1016-12S-1S+    |
|   6 | RB1100             |
|   6 | RB1200             |
|   6 | RB951-2n           |
|   5 | CRS125-24G-1S-2HnD |
|   4 | RB1100AH           |
|   4 | RB750G             |
|   4 | RB2011iLS          |
|   4 | RB433              |
|   2 | OmniTIK+5+ac       |
|   2 | CRS226-24G-2S+     |
|   2 | RB1100Hx2          |
|   2 | hEX+PoE            |
|   2 | hEX+PoE+lite       |
|   2 | %24model           |
|   2 | CCR1009-7G-1C      |
|   2 | CCR1009-7G-1C-1S+  |
|   2 | RB2011LS           |
|   1 | RB+SXT+5HnD        |
|   1 | RB433AH            |
|   1 | RB800              |
|   1 | GrooveA+52         |
|   1 | CCR1072-1G-8S+     |
|   1 | PowerBOX           |
|   1 | RB750r2            |
|   1 | SXT+Lite5+ac       |
|   1 | RB333              |
|   1 | 911+Lite5+dual     |
|   1 | RB1100AH2X         |
|   1 | RB1000             |
|   1 | RB911G-5HPnD       |
|   1 | RB+OmniTIK+U-5HnD  |
|   1 | RB493              |
|   1 | RB450              |
|   1 | BaseBox+5          |
|   1 | wAP+ac             |
|   1 | RB600              |
|   1 |                    |
+-----+--------------------+

Rhoos · Mon Apr 03, 2017 3:27 am

I am a beginner at Mikrotik and my knowledge of networking is limited, for that reason my biggest thanks to people like "IntrusDave" and all who have collaborated with this magnificent work to keep our home networks safe. Thank you very much!

toxicfusion · Wed Apr 05, 2017 6:41 pm

I just went ahead and downloaded your script and applied to one of my MikroTiks for testing. So far so good! I'll roll this out to my client devices very soon, added security is always welcomed.

Thanks for a great contribution!

IntrusDave · Thu Apr 06, 2017 6:54 pm

Glad it's working out for you.
List usage jumped from 4800 to 5100 in the last two days.

mhyll · Mon Apr 10, 2017 10:39 pm

Your firewall rules are great. Only DST-NAT is not working....

Last two filter rules needs to be modded like this:

add action=drop chain=forward comment="Drop everything else on WAN1" in-interface=wan1 connection-nat-state=!dstnat
add action=drop chain=forward comment="Drop everything else on WAN2" in-interface=wan2 connection-nat-state=!dstnat

By the way...do you know what's happened with OpenBL?

IntrusDave · Mon Apr 10, 2017 10:49 pm

The rules are just examples, and should always be adjusted to suit the needs of the network.

I don't know what's going on with OpenBL. I can only assume they have either shut down, or are under DDoS.

sri2007 · Tue Apr 11, 2017 6:37 pm

Unfortunately, I don't know how to help you with this. I don't see any errors in my server logs. I can only assume that you are getting ssl errors. You should be able to manually install the scripts from the first post.

I dont know why, but it finnally works in my CCR1072, thanks for your help!

xlighting · Wed Apr 12, 2017 7:33 am

Hello, Dave:
I have noticed that the rule file is now less than 100kb(<1000 filter entries), but you said it was 600kb+ in March 2017, so I'm wondering if my downloading is incomplete;
I've try downloading via different Internet connection( China/HK) and via different Routerboards(RB951G and RB750Gr3) but same result..
I've also try downloading via Chrome, but seems you've restricted downloading via Routerboard only;
(I was able to download a >5000 filter file in March with same device and same Internet connection)
I've checked the .rsc file downloaded, and not seen any “broken/ending in the middle of line”

so, is there anything I can do to further investigate where the problem is?

IntrusDave · Wed Apr 12, 2017 4:35 pm

OpenBL is currently offline. So right now the filters are limited to my internal sources.

mk13139 · Wed Apr 19, 2017 9:55 am

Thanks for the update script, it is working perfectly on my RB2011UIAS-2HnD-IN.

However, I have some trouble to get it working on my RB3011UIAS-RM. When I execute:

/system script run updateBlacklist;

I get a failure: closing connection: <400 Bad Request> 172.102.241.58:443 (4).
The script on both routers is exactly the same...

IntrusDave · Wed Apr 19, 2017 5:39 pm

Every time that I have seen a 400 Error, it is because the Copy/Paste didn't work. Something is the script is wrong... Maybe it has extra formatting, or maybe invalid characters. Make sure the OS that you are using supports UTF-8. Try copying and pasting the script to Notepad, and then copying and pasting into WinBox.

rioven · Thu Apr 20, 2017 2:00 pm

Unfortunately, OpenBL gonna stop its update by end of this month

IntrusDave · Sat Apr 22, 2017 1:23 am

I don't blame them. Over the last 3 months my block list has gone from 5k entries to 30k. With most of the attacks coming from Russia and China. I'm starting to consider blocking all of Russia's IP ranges. I know that isn't good for most of the world, but my networks here in the USA are under constant attack from them.

brianlewis · Sat Apr 22, 2017 1:26 am

As great as this resource has been, in the last week it has started to block huge /16 blocks including most of Vietnam, Shopify, and many other networks that shouldn't be just added in huge /16, /19, and /24 blankets. Obviously this resource allows us to control what we want to do about these ip ranges, ie just block for specific ports or block entirely. Since we were blocking entirely the phone has been ringing off the huge by very upset customers not able to route to many areas of the world. Maybe its time to split this filter into different lists based on aggressive huge /16,/24 ranges being blocked or conservative where only specific ips or smaller /24 ranges are blocked based on their danger.

IntrusDave · Sat Apr 22, 2017 1:32 am

The filters are intended to be used as incoming filters, not outgoing. If you change your rules to only block new connections coming in on the WAN interface, all should be good. I don't recommend using the list with the RAW filters.

By blocking incoming on the WAN and new connections, you prevent the attacks, but you do not block new outbound connections.

IntrusDave · Sat Apr 22, 2017 1:35 am

On that note - what is really pissing me off is that big hosts like AWS and Google aren't doing anything about shutting down the attacks coming from their networks. Much of the spam is coming from AWS servers that change IP's every hour. So the only way to stop them is to block the whole subnet.

IntrusDave · Sat Apr 22, 2017 1:37 am

Oh, and I ran some tests today. Filtering based on IP *ONLY* and not subnet.. the download was 112M and had over 2M entries.

msatter · Sat Apr 22, 2017 1:50 pm

The filters are intended to be used as incoming filters, not outgoing. If you change your rules to only block new connections coming in on the WAN interface, all should be good. I don't recommend using the list with the RAW filters.

By blocking incoming on the WAN and new connections, you prevent the attacks, but you do not block new outbound connections.

I am confused by this about using RAW. Using the filters for incoming traffic in the RAW part not as efficient?

For outgoing I use a DNS filter and out of band port filtering for new connections in Mangle.

It is really bad out there and have lots of connections wanting to deliver mail which I don't want. It in waves since a few months and sometimes there is it quiet for days and then it starts again.

mk13139 · Mon Apr 24, 2017 9:46 am

Every time that I have seen a 400 Error, it is because the Copy/Paste didn't work. Something is the script is wrong... Maybe it has extra formatting, or maybe invalid characters. Make sure the OS that you are using supports UTF-8. Try copying and pasting the script to Notepad, and then copying and pasting into WinBox.

Thanks for your reply, I will try pasting it via Notepad later this week.

Regarding to the shutdown of OpenBL, is there any other alternative for an updated blacklist?

IntrusDave · Mon Apr 24, 2017 4:35 pm

I don't know. I stopped using OpenBL a while back.

mk13139 · Mon Apr 24, 2017 10:13 pm

I tried to paste the code in Notepad first, but still I get the 400 bad request error...
Are you sure the RB3011UIAS-RM is supported?

IntrusDave · Mon Apr 24, 2017 10:28 pm

That is the same unit I use for writing my scripts. I have just over 500 of them pulling the list every morning. The error you posted is almost always a simple format or encoding error.

amt · Tue Apr 25, 2017 4:54 pm

hi,
Im using this rule for dnymic blacklist

chain=prerouting action=drop log=no log-prefix="" src-address-list=dynamicBlacklist 
chain=prerouting action=drop log=no log-prefix="" dst-address-list=dynamicBlacklist 
chain=output action=drop log=yes log-prefix="" src-address-list=dynamicBlacklist 
chain=output action=drop log=yes log-prefix="" dst-address-list=dynamicBlacklist

is there any way to keep some ip's without block I mean some Exceptions?

Thanks

IntrusDave · Tue Apr 25, 2017 6:53 pm

Yes, You can create an address list with addresses that you never want blocked, then add an accept rule above the drop rules.

amt · Wed Apr 26, 2017 8:43 am

Yes, You can create an address list with addresses that you never want blocked, then add an accept rule above the drop rules.

should it like this ? and what about order of the rules ? is that correct ?

8 chain=prerouting action=accept log=no log-prefix="" src-address-list=Exceptions dst-address-list=Exceptions 

 9 chain=output action=accept log=no log-prefix="" src-address-list=Exceptions dst-address-list=Exceptions 

10;;; BlackList
      chain=prerouting action=drop log=no log-prefix="" src-address-list=dynamicBlacklist 

11 ;;; BlackList
      chain=prerouting action=drop log=no log-prefix="" dst-address-list=dynamicBlacklist 

12 ;;; BlackList
      chain=output action=drop log=yes log-prefix="" src-address-list=dynamicBlacklist 

13;;; BlackList
      chain=output action=drop log=yes log-prefix="" dst-address-list=dynamicBlacklist

Thanks

mk13139 · Wed Apr 26, 2017 9:41 pm

That is the same unit I use for writing my scripts. I have just over 500 of them pulling the list every morning. The error you posted is almost always a simple format or encoding error.

Can you send me the script you are using?
I even get the error when I use your automated installer script...

IntrusDave · Thu Apr 27, 2017 3:00 am

Try downloading directly from here: https://mikrotikfilters.com/updateBlacklist.rsc
Unfortunately, I don't have a router that gets this error, so I really can't troubleshoot it.

If one of you want to give me access to a router that is having a problem with the script, I can try and figure out what the problem is.

mk13139 · Mon May 01, 2017 3:01 pm

Dave,

Can you give me an update URL without or with preset variables?

:local model    [/system resource get board-name]
:local version   [/system resource get version]
:local memory   [/system resource get total-memory]
:local uname   [/system identity get name]
:local scriptVer   2016.7.4a
"https://mikrotikfilters.com/download.php?get=dynamic&model=$model&version=$version&memory=$memory&id=$uname&ver=$scriptVer";

I think it is going wrong with the URL containing (maybe unknown) variables.

Deantwo · Tue May 02, 2017 11:14 am

Can you give me an update URL without or with preset variables?
...
I think it is going wrong with the URL containing (maybe unknown) variables.

Like this?

/tool fetch mode=https dst-path="/dynamic.rsc" url="https://mikrotikfilters.com/download.php\?get=dynamic&model=750&version=6.39&memory=33554432&id=mk13139&ver=DeanHelp";

amt · Tue May 02, 2017 11:46 am

Yes, You can create an address list with addresses that you never want blocked, then add an accept rule above the drop rules.

should it like this ? and what about order of the rules ? is that correct ?

8 chain=prerouting action=accept log=no log-prefix="" src-address-list=Exceptions dst-address-list=Exceptions 

 9 chain=output action=accept log=no log-prefix="" src-address-list=Exceptions dst-address-list=Exceptions 

10;;; BlackList
      chain=prerouting action=drop log=no log-prefix="" src-address-list=dynamicBlacklist 

11 ;;; BlackList
      chain=prerouting action=drop log=no log-prefix="" dst-address-list=dynamicBlacklist 

12 ;;; BlackList
      chain=output action=drop log=yes log-prefix="" src-address-list=dynamicBlacklist 

13;;; BlackList
      chain=output action=drop log=yes log-prefix="" dst-address-list=dynamicBlacklist

Thanks

mk13139 · Tue May 02, 2017 11:46 am

Can you give me an update URL without or with preset variables?
...
I think it is going wrong with the URL containing (maybe unknown) variables.
Code: Select all
/tool fetch mode=https dst-path="/dynamic.rsc" \
   url="https://mikrotikfilters.com/download.php\?get=dynamic&model=750&version=6.39&memory=33554432&id=mk13139&ver=DeanHelp";
Like that?

Yes exactly!
I got it working last night using the variables of my RB2011UAS-2HnD, hardcoding them into the update URL of the RB3011UIAS-RM:

/tool fetch mode=https dst-path="/dynamic.rsc" \
   url="https://mikrotikfilters.com/download.php?get=dynamic&model=RB2011UAS-2HnD&version=6.38.5+(stable)&memory=128.0MiB&id=MikroTik+router&ver=2016.7.4a";

Deantwo · Tue May 02, 2017 5:06 pm

I think it is going wrong with the URL containing (maybe unknown) variables.

Out of curiosity, what does your router say to the following if you paste it in the terminal?

:put [/system resource get board-name]
:put [/system resource get version]
:put [/system resource get total-memory]
:put [/system identity get name]

IntrusDave · Wed May 03, 2017 12:13 am

Give this a try...

# Import Intrus Managed Filter Lists
# ©2016-2017 David Joyce, Intrus Technologies

:log warning "Blacklist update in 30 seconds";
# :delay 10

:local model 	[/system resource get board-name]
:local version	[/system resource get version]
:local memory	[/system resource get total-memory]
:local uname	[/system identity get name]
:local scriptVer   2017.5.2b

:local name ""
:local ver ""

:for i from=0 to=([:len $uname] - 1) do={ 
  :local char [:pick $uname $i]
  :if ($char = " ") do={ :set $char "%20" }
  :set name ($name . $char)
}

:for i from=0 to=([:len $version] - 1) do={ 
  :local char [:pick $version $i]
  :if ($char = " ") do={
    :set $char "%20"
  }
  :set ver ($ver . $char)
}


:log warning "Downloading current Blacklist for this model";
/tool fetch mode=https dst-path="/dynamic.rsc" \
	url="https://mikrotikfilters.com/download.php?get=dynamic&model=$model&version=$ver&memory=$memory&id=$name&ver=$scriptVer";

:log warning "Disabling info logging...";
/system logging disable 0

:log warning "Removing expiring address-list entries...";
:foreach i in=[/ip firewall address-list find ] \
	do={ :if ( [/ip firewall address-list get $i list] = "dynamicBlacklist" ) \
    do={ /ip firewall address-list remove $i } }

:log warning "Importing current Blacklist...";
/import file-name=/dynamic.rsc

:log warning "Removing temp file...";
/file remove dynamic.rsc

:log warning "Blacklist Update Complete.";
/system logging enable 0

Rhoos · Thu May 04, 2017 8:05 am

[quote="mhyll"]Your firewall rules are great. Only DST-NAT is not working....

Last two filter rules needs to be modded like this:

add action=drop chain=forward comment="Drop everything else on WAN1" in-interface=wan1 connection-nat-state=!dstnat
add action=drop chain=forward comment="Drop everything else on WAN2" in-interface=wan2 connection-nat-state=!dstnat

Thanks to your observation, I was able to make my security cameras visible from outside my house; However for the "raw" rule in prerouting the "connection-nat-state =! Dstnat" is not possible, and I have it disabled.
You know how I could make this rule work without blocking the cameras, Thanks!

Resolved!!!!

I had to put the rules of accepting the list of white IPs from first into "RAW", and everything was fine now. Thanks!!!!!

amt · Mon May 08, 2017 9:08 am

Hi,

I need help for this script. Im using this script but some times my wan adress comes to the list OR my ipblock. i create new rule to accept my ip but traffic down when i try to use. here is my rules, can some one help me to solve this issue ?

Thanks.

8  ;;; Exceptions
      chain=prerouting action=accept log=no log-prefix="" src-address-list=exceptions 

 9  ;;; Exceptions
      chain=prerouting action=accept log=no log-prefix="" dst-address-list=exceptions 

10  ;;; Exceptions
      chain=output action=accept log=no log-prefix="" src-address-list=exceptions 

11  ;;; Exceptions
      chain=output action=accept log=no log-prefix="" dst-address-list=exceptions 

12    ;;; BlackList
      chain=prerouting action=drop log=no log-prefix="" src-address-list=dynamicBlacklist 

13    ;;; BlackList
      chain=prerouting action=drop log=no log-prefix="" dst-address-list=dynamicBlacklist 

14    ;;; BlackList
      chain=output action=drop log=no log-prefix="blcklist src" src-address-list=dynamicBlacklist 

15    ;;; BlackList
      chain=output action=drop log=no log-prefix="blcklist dst" dst-address-list=dynamicBlacklist 

16    chain=prerouting action=drop dst-port=22,23,8290,8291 log=no log-prefix="" protocol=tcp src-address-list=!secure 

17    chain=prerouting action=drop dst-port=22,23,8290,8291 log=no log-prefix="" protocol=udp src-address-list=!secure 

18    chain=output action=drop dst-port=22,23,8290,8291 log=no log-prefix="" protocol=tcp src-address-list=!secure 

19    chain=output action=drop dst-port=22,23,8290,8291 log=no log-prefix="" protocol=udp src-address-list=!secure 

20    chain=prerouting action=drop in-interface=wan dst-port=53 log=no log-prefix="" protocol=tcp 

21    chain=prerouting action=drop in-interface=wan dst-port=53 log=no log-prefix="" protocol=udp

mk13139 · Mon May 08, 2017 2:36 pm

Give this a try...

# Import Intrus Managed Filter Lists
# ©2016-2017 David Joyce, Intrus Technologies

:log warning "Blacklist update in 30 seconds";
# :delay 10

:local model 	[/system resource get board-name]
:local version	[/system resource get version]
:local memory	[/system resource get total-memory]
:local uname	[/system identity get name]
:local scriptVer   2017.5.2b

:local name ""
:local ver ""

:for i from=0 to=([:len $uname] - 1) do={ 
  :local char [:pick $uname $i]
  :if ($char = " ") do={ :set $char "%20" }
  :set name ($name . $char)
}

:for i from=0 to=([:len $version] - 1) do={ 
  :local char [:pick $version $i]
  :if ($char = " ") do={
    :set $char "%20"
  }
  :set ver ($ver . $char)
}


:log warning "Downloading current Blacklist for this model";
/tool fetch mode=https dst-path="/dynamic.rsc" \
	url="https://mikrotikfilters.com/download.php?get=dynamic&model=$model&version=$ver&memory=$memory&id=$name&ver=$scriptVer";

:log warning "Disabling info logging...";
/system logging disable 0

:log warning "Removing expiring address-list entries...";
:foreach i in=[/ip firewall address-list find ] \
	do={ :if ( [/ip firewall address-list get $i list] = "dynamicBlacklist" ) \
    do={ /ip firewall address-list remove $i } }

:log warning "Importing current Blacklist...";
/import file-name=/dynamic.rsc

:log warning "Removing temp file...";
/file remove dynamic.rsc

:log warning "Blacklist Update Complete.";
/system logging enable 0

Thanks! I will check it out when I'm on location.

Squidblacklist · Mon May 15, 2017 1:47 pm

it's very possible to do that, but I would need to see what the impact on the routers would be. I'm not a big fan of the built-in DNS as it is and I'm not sure how well it would hold up with several thousand hostnames added to it.

Actually, Im glad to inform you today that the current release has added a new patch for greatly improved import speed for the importing of static dns entries, one thing you will notice is that, the cpu usage is no longer at 100% during import and the import process is much faster. I will be doing some benchmarks of RouterOS before and after the patch to demonstrate the difference, and it is a remarkable improvement indeed.

IntrusDave · Mon May 15, 2017 6:24 pm

My list will not be moving to DNS. It over complicates the process and provides little if any advantages.

Fri May 19, 2017 9:45 am

What is the command to write the blacklist to a usb-stick?
Thanks

IntrusDave · Fri May 19, 2017 6:38 pm

The list is stored in memory while active.
If you need to use a flash drive for the update, just add the path of the usb drive to the path of the fetch and import lines.

Jacka · Mon May 22, 2017 10:43 am

Hi,

First of all thank you for this great script. I have a few questions:
1. Why there are 2 schedules? And if there are 2 it can't have the same name as in your example.

 /system scheduler
add interval=1d name=UpdateBlackList on-event="/system script run updateBlacklist" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive \
    start-date=jan/01/1970 start-time=05:00:0
/system scheduler
add interval=00:00:00 name=UpdateBlackList on-event="/system script run blacklistUpdate" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive \
    start-date=jan/01/1970 start-time=00:00:0

2. What kind of chain is this "Attacks" ? It should be input or forward chain, am I right ?

/ip firewall filter
add action=drop chain=Attacks comment="Drop connections FROM blacklisted hosts" src-address-list=dynamicBlacklist
add action=drop chain=Attacks comment="Drop connections TO blacklisted hosts" dst-address-list=dynamicBlacklist

Deantwo · Mon May 22, 2017 1:44 pm

1. Why there are 2 schedules? And if there are 2 it can't have the same name as in your example.

 /system scheduler
add interval=1d name=UpdateBlackList on-event="/system script run updateBlacklist" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive \
    start-date=jan/01/1970 start-time=05:00:0
/system scheduler
add interval=00:00:00 name=UpdateBlackList on-event="/system script run blacklistUpdate" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive \
    start-date=jan/01/1970 start-time=00:00:0

Two schedulers can have the same name, it is weird to have though.

Also not sure the second scheduler is totally correct. At least it can be written better.
See: viewtopic.php?f=9&t=98804&start=150#p587752

2. What kind of chain is this "Attacks" ? It should be input or forward chain, am I right ?
Code: Select all
/ip firewall filter
add action=drop chain=Attacks comment="Drop connections FROM blacklisted hosts" src-address-list=dynamicBlacklist
add action=drop chain=Attacks comment="Drop connections TO blacklisted hosts" dst-address-list=dynamicBlacklist

The "Attacks" chain is a custom chain, take a look at the jump rules further down.

/ip firewall filter
#...
add action=jump chain=input comment="Check for bad stuff in \"Attack\" chain" jump-target=Attacks
#...
add action=jump chain=forward comment="Check for bad stuff in \"Attack\" chain" jump-target=Attacks

You can read more here: https://wiki.mikrotik.com/wiki/Manual:I ... all/Filter

The firewall shown in the first post is just an example, you might want you edit it for your own use or make your own.

Jacka · Mon May 22, 2017 3:16 pm

Thanks for explanation.

amt · Tue May 23, 2017 8:06 am

can some one share firewall rules for this script ? which is correct ? using raw or filter for this script. also sometimes my puplic ip's come to the list. how can i remove them ? and how can i create expection rule for them ?

Thanks.

dmcosta · Wed May 24, 2017 7:58 pm

Hello Dave!

Works perfectly on hAp AC lite , RB951G-2Hnd.

Thank you very much for this! Great work!!

cheers

b3h3m07h · Mon May 29, 2017 6:43 am

Here is the script i use to save and execute the blacklist (dynamic.rsc) from a usb drive (named usb1)

/system script add name=updateBlacklist-usb1 owner=admin policy=read,write,test source="# Import Intrus Managed Filter Lists\r\n# (C)2016 David Joyce, Intrus Technologies\r\n\r\n:log warning \"Blacklist update in 30 seconds\";\r\n# :delay 10\r\n\r\n:local model \t[/system resource get board-name]\r\n:local version\t[/system resource get version]\r\n:local memory\t[/system resource get total-memory]\r\n:local uname\t[/system identity get name]\r\n:local scriptVer 2017.5.2a\r\n\r\n:local name \"\"\r\n:local ver \"\"\r\n\r\n:for i from=0 to=([:len \$uname] - 1) do={ \r\n :local char [:pick \$uname \$i]\r\n :if (\$char = \" \") do={ :set \$char \"%20\" }\r\n :set name (\$name . \$char)\r\n}\r\n\r\n:for i from=0 to=([:len \$version] - 1) do={ \r\n :local char [:pick \$version \$i]\r\n :if (\$char = \" \") do={\r\n :set \$char \"%20\"\r\n }\r\n :set ver (\$ver . \$char)\r\n}\r\n\r\n\r\n:log warning \"Downloading current Blacklist for this model\";\r\n/tool fetch mode=https dst-path=\"/usb1/dynamic.rsc\" \\\r\n\turl=\"https://mikrotikfilters.com/download.ph ... \n\r\n:log warning \"Disabling info logging...\";\r\n/system logging disable 0\r\n\r\n:log warning \"Removing expiring address-list entries...\";\r\n:foreach i in=[/ip firewall address-list find ] \\\r\n\tdo={ :if ( [/ip firewall address-list get \$i list] = \"dynamicBlacklist\" ) \\\r\n do={ /ip firewall address-list remove \$i } }\r\n\r\n:log warning \"Importing current Blacklist...\";\r\n/import file-name=/usb1/dynamic.rsc\r\n\r\n:log warning \"Removing temp file...\";\r\n/file remove usb1/dynamic.rsc\r\n\r\n:log warning \"Blacklist Update Complete.\";\r\n/system logging enable 0"

so far, so good.

Mon May 29, 2017 7:47 am

Could you please edit your post and use "Code" tag to paste script content once again. It is hard to read it now.

b3h3m07h · Mon May 29, 2017 8:58 am

here you go

# Import Intrus Managed Filter Lists
# (C)2016 David Joyce, Intrus Technologies

:log warning "Blacklist update in 30 seconds";
# :delay 10

:local model 	[/system resource get board-name]
:local version	[/system resource get version]
:local memory	[/system resource get total-memory]
:local uname	[/system identity get name]
:local scriptVer   2017.5.2a

:local name ""
:local ver ""

:for i from=0 to=([:len $uname] - 1) do={ 
  :local char [:pick $uname $i]
  :if ($char = " ") do={ :set $char "%20" }
  :set name ($name . $char)
}

:for i from=0 to=([:len $version] - 1) do={ 
  :local char [:pick $version $i]
  :if ($char = " ") do={
    :set $char "%20"
  }
  :set ver ($ver . $char)
}


:log warning "Downloading current Blacklist for this model";
/tool fetch mode=https dst-path="/usb1/dynamic.rsc" \
	url="https://mikrotikfilters.com/download.php?get=dynamic&model=$model&version=$ver&memory=$memory&id=$name&ver=$scriptVer";

:log warning "Disabling info logging...";
/system logging disable 0

:log warning "Removing expiring address-list entries...";
:foreach i in=[/ip firewall address-list find ] \
	do={ :if ( [/ip firewall address-list get $i list] = "dynamicBlacklist" ) \
    do={ /ip firewall address-list remove $i } }

:log warning "Importing current Blacklist...";
/import file-name=/usb1/dynamic.rsc

:log warning "Removing temp file...";
/file remove usb1/dynamic.rsc

:log warning "Blacklist Update Complete.";
/system logging enable 0

IntrusDave · Wed May 31, 2017 12:36 am

I've updated the script with support for USB Flash as well as the new RB1100AHx4 with internal storage.
I has also reworked the backend and script for more accurate accounting. Please update your scripts.

# Import Intrus Managed Filter Lists
# © 2016-2017 David Joyce, Intrus Technologies

##### Update your path, is you are using a USB Flash or other storage

:global datapath "disk1/dynamic.rsc"

###### DO NOT EDIT BELOW THIS POINT ######

##### Delay for 10 seconds to allow the WAN to come online after a reboot
:log warning "Blacklist update in 10 seconds";
:delay 10

##### Pull info to report to the server, used to download the correct list as well as stats collecting
##### software ID is used as the unique ID on the server side, this allows us to identify different 
##### routers behind a NAT router. Please do not remove it.
:local model 	[/system resource get board-name]
:local version	[/system resource get version]
:local memory	[/system resource get total-memory]
:local uname	[/system identity get name]
:local softid        [/system license get software-id]
:local scriptVer   2017.5.30c

##### Scrub the device name and version to prevent http errors
:local name ""
:local ver ""

:for i from=0 to=([:len $uname] - 1) do={ 
  :local char [:pick $uname $i]
  :if ($char = " ") do={ :set $char "%20" }
  :set name ($name . $char)
}

:for i from=0 to=([:len $version] - 1) do={ 
  :local char [:pick $version $i]
  :if ($char = " ") do={
    :set $char "%20"
  }
  :set ver ($ver . $char)
}

#### Begin download of current blacklist
:log warning "Downloading current Blacklist for this model";
/tool fetch mode=https dst-path="$datapath" \
	url="https://mikrotikfilters.com/download.php?get=dynamic&model=$model&version=$ver&memory=$memory&id=$name&ver=$scriptVer&softid=$softid";

##### Disable the log (We don't need 20k lines of adds and removes in the log
:log warning "Disabling info logging...";
/system logging disable 0

##### Find the "dynamicBlacklist" entries and remove them
:log warning "Removing expiring address-list entries...";
:foreach i in=[/ip firewall address-list find ] \
	do={ :if ( [/ip firewall address-list get $i list] = "dynamicBlacklist" ) \
    do={ /ip firewall address-list remove $i } }

##### Import the downloaded blacklist
:log warning "Importing current Blacklist...";
/import file-name="$datapath"

##### Find and remove the downloaded file
:log warning "Removing temp file...";
/file remove [find name=$datapath]

##### Turn the logging back on
:log warning "Blacklist Update Complete.";
/system logging enable 0

Also - The server is now blocking routers that excessively download the list. (I have several people that are trying to update every minute.)

b3h3m07h · Wed May 31, 2017 5:03 am

Just made a few changes to the script as it didn't seem to delete the blacklist at the end

# Import Intrus Managed Filter Lists
# © 2016-2017 David Joyce, Intrus Technologies

##### Update your path, is you are using a USB Flash or other storage

:global datapath "usb1/"
:global datafile "dynamic.rsc"

###### DO NOT EDIT BELOW THIS POINT ######

##### Delay for 10 seconds to allow the WAN to come online after a reboot
:log warning "Blacklist update in 10 seconds";
:delay 10

##### Pull info to report to the server, used to download the correct list as well as stats collecting
##### software ID is used as the unique ID on the server side, this allows us to identify different 
##### routers behind a NAT router. Please do not remove it.
:local model    [/system resource get board-name]
:local version   [/system resource get version]
:local memory   [/system resource get total-memory]
:local uname   [/system identity get name]
:local softid        [/system license get software-id]
:local scriptVer   2017.5.30b

##### Scrub the device name and version to prevent http errors
:local name ""
:local ver ""

:for i from=0 to=([:len $uname] - 1) do={ 
  :local char [:pick $uname $i]
  :if ($char = " ") do={ :set $char "%20" }
  :set name ($name . $char)
}

:for i from=0 to=([:len $version] - 1) do={ 
  :local char [:pick $version $i]
  :if ($char = " ") do={
    :set $char "%20"
  }
  :set ver ($ver . $char)
}

#### Begin download of current blacklist
:log warning "Downloading current Blacklist for this model";
/tool fetch mode=https dst-path="/$datapath$datafile" \
   url="https://mikrotikfilters.com/download.php?get=dynamic&model=$model&version=$ver&memory=$memory&id=$name&ver=$scriptVer&softid=$softid";

##### Disable the log (We don't need 20k lines of adds and removes in the log
:log warning "Disabling info logging...";
/system logging disable 0

##### Find the "dynamicBlacklist" entries and remove them
:log warning "Removing expiring address-list entries...";
:foreach i in=[/ip firewall address-list find ] \
   do={ :if ( [/ip firewall address-list get $i list] = "dynamicBlacklist" ) \
    do={ /ip firewall address-list remove $i } }

##### Import the downloaded blacklist
:log warning "Importing current Blacklist...";
/import file-name="/$datapath$datafile"

##### Find and remove the downloaded file
:log warning "Removing temp file...";
/file remove "$datapath$datafile"

##### Turn the logging back on
:log warning "Blacklist Update Complete.";
/system logging enable 0

cashwu · Wed May 31, 2017 6:22 am

Just tried it, the results stopped here ...
Set:
:global datapath "disk-8G/"
:global datafile "dynamic.rsc"

未命名.png

IntrusDave · Wed May 31, 2017 6:37 am

Try this
:global datapath "/disk-8G/"

b3h3m07h · Wed May 31, 2017 7:19 am

try this, worked fine on my rb2011 and usb drive

# Import Intrus Managed Filter Lists
# © 2016-2017 David Joyce, Intrus Technologies

##### Update your path, is you are using a USB Flash or other storage

:global datapath "disk-8G/"
:global datafile "dynamic.rsc"

###### DO NOT EDIT BELOW THIS POINT ######

##### Delay for 10 seconds to allow the WAN to come online after a reboot
:log warning "Blacklist update in 10 seconds";
:delay 10

##### Pull info to report to the server, used to download the correct list as well as stats collecting
##### software ID is used as the unique ID on the server side, this allows us to identify different 
##### routers behind a NAT router. Please do not remove it.
:local model    [/system resource get board-name]
:local version   [/system resource get version]
:local memory   [/system resource get total-memory]
:local uname   [/system identity get name]
:local softid        [/system license get software-id]
:local scriptVer   2017.5.30b

##### Scrub the device name and version to prevent http errors
:local name ""
:local ver ""

:for i from=0 to=([:len $uname] - 1) do={ 
  :local char [:pick $uname $i]
  :if ($char = " ") do={ :set $char "%20" }
  :set name ($name . $char)
}

:for i from=0 to=([:len $version] - 1) do={ 
  :local char [:pick $version $i]
  :if ($char = " ") do={
    :set $char "%20"
  }
  :set ver ($ver . $char)
}

#### Begin download of current blacklist
:log warning "Downloading current Blacklist for this model";
/tool fetch mode=https dst-path="/$datapath$datafile" \
   url="https://mikrotikfilters.com/download.php?get=dynamic&model=$model&version=$ver&memory=$memory&id=$name&ver=$scriptVer&softid=$softid";

##### Disable the log (We don't need 20k lines of adds and removes in the log
:log warning "Disabling info logging...";
/system logging disable 0

##### Find the "dynamicBlacklist" entries and remove them
:log warning "Removing expiring address-list entries...";
:foreach i in=[/ip firewall address-list find ] \
   do={ :if ( [/ip firewall address-list get $i list] = "dynamicBlacklist" ) \
    do={ /ip firewall address-list remove $i } }

##### Import the downloaded blacklist
:log warning "Importing current Blacklist...";
/import file-name="/$datapath$datafile"

##### Find and remove the downloaded file
:log warning "Removing temp file...";
/file remove "$datapath$datafile"

##### Turn the logging back on
:log warning "Blacklist Update Complete.";
/system logging enable 0

These lines were also changed

/tool fetch mode=https dst-path="/$datapath$datafile" \
url="https://mikrotikfilters.com/download.ph ... id=$softid";

/import file-name="/$datapath$datafile"

/file remove "$datapath$datafile"

IntrusDave · Wed May 31, 2017 7:41 am

Yup, clearly a problem with the remove. I can't seem to get it to accept a variable

IntrusDave · Wed May 31, 2017 8:05 am

Okay, I've updated the script again. It didn't like having the path and filename separate.

# Import Intrus Managed Filter Lists
# © 2016-2017 David Joyce, Intrus Technologies

##### Update your path, is you are using a USB Flash or other storage

:global datapath "disk1/dynamic.rsc"

###### DO NOT EDIT BELOW THIS POINT ######

##### Delay for 10 seconds to allow the WAN to come online after a reboot
:log warning "Blacklist update in 10 seconds";
:delay 10

##### Pull info to report to the server, used to download the correct list as well as stats collecting
##### software ID is used as the unique ID on the server side, this allows us to identify different 
##### routers behind a NAT router. Please do not remove it.
:local model 	[/system resource get board-name]
:local version	[/system resource get version]
:local memory	[/system resource get total-memory]
:local uname	[/system identity get name]
:local softid        [/system license get software-id]
:local scriptVer   2017.5.30c

##### Scrub the device name and version to prevent http errors
:local name ""
:local ver ""

:for i from=0 to=([:len $uname] - 1) do={ 
  :local char [:pick $uname $i]
  :if ($char = " ") do={ :set $char "%20" }
  :set name ($name . $char)
}

:for i from=0 to=([:len $version] - 1) do={ 
  :local char [:pick $version $i]
  :if ($char = " ") do={
    :set $char "%20"
  }
  :set ver ($ver . $char)
}

#### Begin download of current blacklist
:log warning "Downloading current Blacklist for this model";
/tool fetch mode=https dst-path="$datapath" \
	url="https://mikrotikfilters.com/download.php?get=dynamic&model=$model&version=$ver&memory=$memory&id=$name&ver=$scriptVer&softid=$softid";

##### Disable the log (We don't need 20k lines of adds and removes in the log
:log warning "Disabling info logging...";
/system logging disable 0

##### Find the "dynamicBlacklist" entries and remove them
:log warning "Removing expiring address-list entries...";
:foreach i in=[/ip firewall address-list find ] \
	do={ :if ( [/ip firewall address-list get $i list] = "dynamicBlacklist" ) \
    do={ /ip firewall address-list remove $i } }

##### Import the downloaded blacklist
:log warning "Importing current Blacklist...";
/import file-name="$datapath"

##### Find and remove the downloaded file
:log warning "Removing temp file...";
/file remove [find name=$datapath]

##### Turn the logging back on
:log warning "Blacklist Update Complete.";
/system logging enable 0

cashwu · Wed May 31, 2017 8:16 am

Hello Dave & b3h3m07h, thank you for your reply.

The latest version works fine.

And then your reply, to understand the difference between the two ways.

Once again thank you.

b3h3m07h · Wed May 31, 2017 8:19 am

Nice work. All good here.

dmcosta · Wed May 31, 2017 4:24 pm

Thanks Dave for the update! Great work!

aboiles · Wed May 31, 2017 5:09 pm

Hello Dave,
I am now getting an error when I run the script-

url="https://mikrotikfilters.com/download.ph ... model&vers
ion=$ver&memory=$memory&id=$name&ver=$scriptVer&softid=$softid";
status: failed

failure: closing connection: <404 Not Found> 172.102.241.58:443 (4)

The script worked fine last night, but is now failing with the same error on the four routers it's running on.

IntrusDave · Wed May 31, 2017 5:12 pm

Your URL is wrong.
Note the ? between "download.php" and "get"

url="https://mikrotikfilters.com/download.php?get=dynamic&model=$model&version=$ver&memory=$memory&id=$name&ver=$scriptVer&softid=$softid"

aboiles · Wed May 31, 2017 5:36 pm

Hello Dave,
The script has the ?, when pasted in terminal it disappears.
The log only has an entry of-
script error: expected command name (line 1 column 1)
The downloaded dynamic.rsc only has one line-
All fields are required. Please update your script.

IntrusDave · Wed May 31, 2017 5:39 pm

That would mean that you need the current script. It's available in the first post.

aboiles · Wed May 31, 2017 6:16 pm

tried both the auto installer - script ver 2017.5.2a
and the code ver 2017.5.30c.
Am still getting the All fields are required. Please update your script. dynamic.rsc

aboiles · Wed May 31, 2017 8:14 pm

slightly modified the script by removing the extra spaces in the local info section and now have it running on a 2011UiAS-2HnD, 951G-2HnD and a CRS125-24G-1S-2HnD.
still fails on a CHR with the same error-All fields are required. Please update your script. dynamic.rsc

IntrusDave · Wed May 31, 2017 8:27 pm

Sorry man. More than 500 routers already updated and working with the new script. You are having copy/paste issues. I can't fix that for you.

aboiles · Wed May 31, 2017 8:47 pm

Don't know Dave,
I think it may have something to do with the software-id.
I'm getting a blank for software-id from the chr's.

[admin@router] > :put [/system resource get board-name]
CHR
[admin@router] > :put [/system resource get version]
6.40rc15 (testing)
[admin@router] > :put [/system resource get total-memory]
2071535616
[admin@router] > :put [/system identity get name]
router
[admin@router] > :put [/system license get software-id]

[admin@router] >

Taylor · Thu Jun 01, 2017 5:31 am

I'm having issues too, started out with the autoinstaller script in your first post, it always leads with

[admin@TaylorMikrotik] >> /import updateBlacklist.rsc;                                                 
syntax error (line 62 column 11)

I edited it and put start-time=startup on the same line as the last add for scheduler.

That worked but then it complains about that name already existing, which is from the double schedules? not sure why there are two named the same.

After editing this tho, I get what others have gotten.

All fields are required. Please update your script.

i have not copy or pasted anything outside of downloading the script from winbox to my pc, open in notepad++ with it in UNIX lineending mode, and put that part on the right line, then re uploaded to the tik.

IntrusDave · Thu Jun 01, 2017 6:48 am

I'm guessing that everyone with issues are running CHR. I've found the problem and I'm working on a fix right now. I'll post the update in about an hour.

Taylor · Thu Jun 01, 2017 6:56 am

I am on a RB951Ui-2HnD

IntrusDave · Thu Jun 01, 2017 6:59 am

I am on a RB951Ui-2HnD

can you post the /system license print ?

IntrusDave · Thu Jun 01, 2017 7:40 am

I've updated the script to deal with the CHR using system-id instead of software-id. Annoying that they are different...

I've tested on the following units with no failures.

CCR1009-7G-1C-1S+
CCR1009-8G-1S-1S+
CCR1016-12G
CCR1036-12G-4S
CHR
CRS109-8G-1S-2HnD
CRS125-24G-1S
CRS125-24G-1S-2HnD
hAP+ac
hAP+ac+lite
hEX
RB2011UAS-2HnD
RB2011UiAS
RB2011UiAS-2HnD
RB3011UiAS
RB450G
RB951G-2HnD
RB951Ui-2HnD
x86

IntrusDave · Thu Jun 01, 2017 7:42 am

syntax error (line 62 column 11)[/code]

I found the line 62 error and corrected it. delete the items you have, and reinstall. it should be good to go.

Taylor · Thu Jun 01, 2017 8:03 am

Seems the CHR changes, fixed mine too... fyi the output was

[admin@TaylorMikrotik] >> /system license print     
  software-id: 15LP-6RVD
       nlevel: 4
     features:

aboiles · Thu Jun 01, 2017 8:27 am

Thanks Dave,
Script works great on the CHR now!

amt · Thu Jun 01, 2017 10:06 am

Hi,
I had this erorr All fields are required. Please update your script
here log;
10:05:19 script,warning Downloading current Blacklist for this model
10:05:20 info fetch: file "dynamic.rsc" downloaded
10:05:20 script,warning Disabling info logging...
10:05:20 script,warning Removing expiring address-list entries...
10:05:20 script,warning Importing current Blacklist...
10:05:20 script,error script error: expected command name (line 1 column 1)

I update script with this;

# Import Intrus Managed Filter Lists
# © 2016-2017 David Joyce, Intrus Technologies

##### Update your path, is you are using a USB Flash or other storage

:global datapath "disk1/dynamic.rsc"

###### DO NOT EDIT BELOW THIS POINT ######

##### Delay for 10 seconds to allow the WAN to come online after a reboot
:log warning "Blacklist update in 10 seconds";
:delay 10

##### Pull info to report to the server, used to download the correct list as well as stats collecting
##### software ID is used as the unique ID on the server side, this allows us to identify different 
##### routers behind a NAT router. Please do not remove it.
:local model    [/system resource get board-name]
:local version   [/system resource get version]
:local memory   [/system resource get total-memory]
:local uname   [/system identity get name]
:local softid        [/system license get software-id]
:local scriptVer   2017.5.30c

##### Scrub the device name and version to prevent http errors
:local name ""
:local ver ""

:for i from=0 to=([:len $uname] - 1) do={ 
  :local char [:pick $uname $i]
  :if ($char = " ") do={ :set $char "%20" }
  :set name ($name . $char)
}

:for i from=0 to=([:len $version] - 1) do={ 
  :local char [:pick $version $i]
  :if ($char = " ") do={
    :set $char "%20"
  }
  :set ver ($ver . $char)
}

#### Begin download of current blacklist
:log warning "Downloading current Blacklist for this model";
/tool fetch mode=https dst-path="$datapath" \
   url="https://mikrotikfilters.com/download.php?get=dynamic&model=$model&version=$ver&memory=$memory&id=$name&ver=$scriptVer&softid=$softid";

##### Disable the log (We don't need 20k lines of adds and removes in the log
:log warning "Disabling info logging...";
/system logging disable 0

##### Find the "dynamicBlacklist" entries and remove them
:log warning "Removing expiring address-list entries...";
:foreach i in=[/ip firewall address-list find ] \
   do={ :if ( [/ip firewall address-list get $i list] = "dynamicBlacklist" ) \
    do={ /ip firewall address-list remove $i } }

##### Import the downloaded blacklist
:log warning "Importing current Blacklist...";
/import file-name="$datapath"

##### Find and remove the downloaded file
:log warning "Removing temp file...";
/file remove [find name=$datapath]

##### Turn the logging back on
:log warning "Blacklist Update Complete.";
/system logging enable 0

and now working.
thanks

IntrusDave · Fri Jun 02, 2017 8:02 am

Glad it's working for everyone now. Stats are MUCH more accurate now. The server was starting to block devices behind NAT routers because it thought some were downloading hundreds of times per hour. Now it sees each as a separate device.

Taylor · Fri Jun 02, 2017 8:10 am

Awesome! Thanks for still doing this. Now that you got more stats, you should create some public pages cause i love me some random statistics!

IntrusDave · Fri Jun 02, 2017 8:14 am

Awesome! Thanks for still doing this. Now that you got more stats, you should create some public pages cause i love me some random statistics!

I was just starting on a page that shows each type and number of routers that pulls the list.

IntrusDave · Fri Jun 02, 2017 8:58 am

I've cleared all my starts and started fresh. Here is a quick and dirty stats page on the hardware accessing the list.

https://mikrotikfilters.com/blstats.php

Fri Jun 02, 2017 4:18 pm

Data taken from 28 days of router uptime

blackmail is my list composed from addresses dropped with greylisting

98 395 - total started SMTP sessions
8362 - unique smtp src addresses
7 515 - dropped by my blackmail list
70 596 - dropped by Dave's list

bm.PNG

msatter · Sat Jun 03, 2017 11:10 am

Many thanks for all your work and I was following this thread with great interest and checked this morning if I needed to update my script. That was the case and since three days I had a error on line one.

So I downloaded the latest script and imported it after removing the running script. The are some things I had to change: user djoyce --> admin to get the line back in my log where the dynamic.rsc has been downloaded memory info fetch: file "dynamic.rsc" downloaded. I set the start delay time to 30 seconds because I have a PPPoE connection that takes a bit longer to come up after reboot.

Default the location of the dynamic.rsc is now disk1 and that is ok by me because I have an SD card in my RB750Gr3 but I can change that to flash (mirrored in RAM) again if I like.

I also noticed that on importing updateBlacklist.rsc to the script that I got: /import updateBlacklist.rsc; failure: item with this name already exists despite it did not exist until after the import.

pkrexer · Mon Jun 05, 2017 3:56 am

Not sure why its not working all of a sudden. I updated the script a few days ago and was working as of yesterday... Now when the script runs, it says its downloading the blacklist but nothing else happens.

IntrusDave · Mon Jun 05, 2017 3:58 am

Not sure why its not working all of a sudden. I updated the script a few days ago and was working as of yesterday... Now when the script runs, it says its downloading the blacklist but nothing else happens.

What are the last two octets of the public IP?

pkrexer · Mon Jun 05, 2017 4:05 am

11.204

IntrusDave · Mon Jun 05, 2017 4:12 am

Fixed. Sorry about that. typo in the code.

pkrexer · Mon Jun 05, 2017 4:16 am

np! Thanks for the quick fix... Appreciate all the work you do!

IntrusDave · Mon Jun 05, 2017 4:17 am

No problem at all. I enjoy it.

msatter · Wed Jun 07, 2017 1:30 pm

I noticed today when I started Firefox that I were getting hits on the blacklist. I followed the IP and found that it lead to hackademix.net and secure.informaction.com and looking on the site it was probably an plug-in was generating the hits and that was No-script. I use this plug-in for years and I allow or disallow the default running of scripts filtered on the domain the are served by.

Plugin homepage: https://noscript.net/

Name: secure.informaction.com
Addresses: 69.195.158.194
69.195.158.198
69.195.158.197
69.195.158.195
69.195.158.196

I understand how the blacklist is build and that it based on bad traffic and if there is a problem of a domain being misused then I can contact them to ask to look if they are hacked in any way?

Found it and I don't know why I did not see it before: the block is: 69.195.158.0/24 in the dynamicblacklist

IntrusDave · Thu Jun 08, 2017 3:17 am

I've updated the statistics page today. It now normalizes the memory and shows the percentage of each category

IntrusDave · Thu Jun 08, 2017 3:21 am

I noticed today when I started Firefox that I were getting hits on the blacklist. I followed the IP and found that it lead to hackademix.net and secure.informaction.com and looking on the site it was probably an plug-in was generating the hits and that was No-script. I use this plug-in for years and I allow or disallow the default running of scripts filtered on the domain the are served by.

Plugin homepage: https://noscript.net/

Name: secure.informaction.com
Addresses: 69.195.158.194
69.195.158.198
69.195.158.197
69.195.158.195
69.195.158.196

I understand how the blacklist is build and that it based on bad traffic and if there is a problem of a domain being misused then I can contact them to ask to look if they are hacked in any way?

Found it and I don't know why I did not see it before: the block is: 69.195.158.0/24 in the dynamicblacklist

I'm not sure what you are asking here. You are always welcome to contact a site and ask them to fix any issues. The subnet will be removed from the list automatically once whatever issue they were having is fixed. Many times it's that they are hosting a botnet that they do not even know about. Other times it may be that they are serving viruses in ads. AWS and Google Compute have both been blocked several times because they refuse to take down a virtual host that is being used to attack other networks.

eddieb · Thu Jun 08, 2017 8:37 pm

Hi Dave,

I use your dynamic blacklist and it suits well.
For some reason a subnet from which I really need to use 1 address from appeared in one of the lists loaded into dynamicBlacklist ...
It would be a great help if I could whitelist a subnet inside the script somehow ...

Keep up the great work

Eddie

IntrusDave · Thu Jun 08, 2017 11:00 pm

Whitelisting is accomplished by creating a new address-list and a new filter rule.

1) Create an address list - say.. "Whitelist" and add the IP addresses that you need never be blocked.
2) create a new filter "Accept" rule, using the src-address-list you created.
3) place the new Whitelist Accept rule ABOVE the blacklist Drop rule.

There is no need to modify the script, and this can not be done on the server side.
Please keep in mind that it's always better to understand why the IP/Subnet ended up on the blacklist and attempt to get that corrected first. I have seen several networks penetrated because an admin whitelisted an address that was serving malware, instead of contacting that site/service and getting the issue resolved.

eddieb · Fri Jun 09, 2017 9:11 am

Hi Dave,

thanks for your response. It was a bit complex but I did manage to add the subnet in a whitelist and that works for now...
I am aware of the problems that might cause such a whitelist. In this case the subnet is from a local provider with many customers fighting spam ...
sometimes one of them gets blacklisted for that reason and sometimes the entire subnet is.
To do make sure that 2 of the servers within my responsibility are not causing troubles I need to have access to them.
For now I whitelisted those 2 and that does the job.

regards,

Eddie

leemans · Fri Jun 09, 2017 5:51 pm

Hi Dave,

Dear,
It's not working on my RB600.
It used to work for a long time...
Any idea how come?

Thanks,
Patrick

IntrusDave · Fri Jun 09, 2017 6:01 pm

The script was updated last week to work with the new backend servers. You can find the update in the first post of this thread

IntrusDave · Sat Jun 10, 2017 5:16 pm

Thanks to someone setting up 50 routers to download every 2 minutes, the server is now blocking any router that downloads more than 4 times in a 24 hour period.

msatter · Sat Jun 10, 2017 9:33 pm

Is the blockage permanent or will it be lifted after a certain time? I can imagine that one that is testing has to reboot a few times in a few hours. So when testing one should switch off the startup reload until all is stable again.

IntrusDave · Sat Jun 10, 2017 9:43 pm

SHouldn't be an issue for most. The server will flag routers that get excessive and throttle them to 4 download in a 24 hour period.

msatter · Sun Jun 11, 2017 12:55 am

And if the devil was at work with my Mikrotik and made it crashed and luckily I managed to switch off the startupscript. I had already had three strikes so I also should disable the normal update, for the time being.

Maybe it is possible to keep the file on the disk (when not using flash) and delete it on the next regular reload of 24 hours. After the first import it would have to be renamed with the time, of the first import in the name.

The script looks on a restart or regular reload if the file is older dan 23 hours and then it would get a new one. If the file is younger than 23hours the script will reload the file form the disk.

You can then still throttle addresses that reload more than three times with a blank router. If they have to setup routers then they also should copy the current file to the disk on each router.

msatter · Sun Jun 11, 2017 10:55 am

AAAARGH lost some sleep by trying to find out the way how to convert date+time so that I could subtract those and have the difference in time. No I did not manage but manage to go to sleep after staying up much to long.

In the morning my mind started to seek for a solution and I had different ideas but none of the would solve this. Then I got a great idea to just make a different script just for only the start-up. All pieces fell in place and no calculation and string delidding needed and just let nature do its work and follow the natural flow.

The main script updateBlacklist is changed so that dynamic.rsc file is not deleted after importing. The new startup startupBlacklist is the current updateBlacklist stripped of all download and statistical parts.

In updateBlacklist I commented out the removal of the dynamic.rsc file after importing and it will overwritten by the new dynamic.rsc file when the daily update is run. This is the changed code part form updateBlacklist

Hope that you like this adaptation and so also give your server bit of rest because restarted Mikrotik devices will not bother it when just restarting and only knock on the door for the real daily update.

So I am going now to eat my breakfast and enjoy my Sunday which is also today a sunny day.

nico599 · Mon Jun 12, 2017 12:12 pm

Hi DAVE
yesterday , i change new script ,
it's working in my RB450G & RB750GL,
but in my CCR1009-8G-1S-1S+ ......,
just show Message "Downloading current Blacklist for this model",
but can't download anything...
i use the same script,.......

How can i to deal with this problem?

Sorry,English not my mother Language...

Deantwo · Mon Jun 12, 2017 12:49 pm

Hello Dave,
The script has the ?, when pasted in terminal it disappears.
The log only has an entry of-
script error: expected command name (line 1 column 1)
The downloaded dynamic.rsc only has one line-
All fields are required. Please update your script.
That would mean that you need the current script. It's available in the first post.

Dave you could just escape the "?". That would allow it to be run in the terminal without issue, and it will make no difference for non-terminal running.
I mentioned it before, here: viewtopic.php?f=9&t=98804&start=150#p587708

"...\?..."

msatter · Mon Jun 12, 2017 1:10 pm

A bit of saving on traffic you could save about 20% of traffic by not adding the "comment" part on every dynamicblacklist line.

I don't know if RouterOS can handle deflated traffic when downloading. However there is xz/LZMA used when a firmware update is applied. So if on saving a file with the .gz extension then it could be automatically be extracted and then your dynamic.rsc.gz would 20 times smaller and just 50KB instead of 970KB.

Update: all the .NPK files are zipped and extracted in some way when installed. Looking into the system.npk I find the program "unexpak" but I can't see what it is doing. When I look in \lib\ I see the library libz.so and if I am not wrong that is a compress/decompress code.

The only thing I found Mikrotik talking about compression stated that due to limitations of the size of the flash not allowing a compression tool to the users.

So maybe Mikrotik could give us the option to export compressed and then to normal extension like .RSC and .BACKUP add .GZ and automatically decompress files with .GZ when read.

reb00t · Wed Jun 14, 2017 6:51 pm

My updates stopped working so I went to investigate and found when running the update script (v2017.5.31f) from the command line:

[admin@redacted_name.com] > /system script run updateBlacklist;                                                  
  status: failed

failure: cannot open file

I've installed the script via the download method described in the first post so I don't believe it's a copy/paste issue. Maybe I accessed the download more than four times during testing one day? Are there any other reasons to get that failure message?

Here's my basic info:

[admin@redacted_name.com] /system resource> print
             uptime: 4d4h2m55s
            version: 6.39.2 (stable)
         build-time: Mar/09/2017 11:32:49
        free-memory: 1712.6MiB
       total-memory: 1956.2MiB
                cpu: tilegx
          cpu-count: 9
      cpu-frequency: 1200MHz
           cpu-load: 0%
     free-hdd-space: 78.5MiB
    total-hdd-space: 128.0MiB
  architecture-name: tile
         board-name: CCR1009-8G-1S-1S+
           platform: MikroTik
[admin@redacted_name.com] /system resource> /system license print            
  software-id: 8RW2-IFMS
       nlevel: 6
     features:

IntrusDave · Wed Jun 14, 2017 10:15 pm

try a copy/paste from the first post. Not sure what the issue is, the server isn't reporting any issues.

reb00t · Thu Jun 15, 2017 3:35 pm

Doing the copy and paste from post #1 worked. Still not sure why it stopped working. Thank you!

IntrusDave · Thu Jun 15, 2017 11:57 pm

Doing the copy and paste from post #1 worked. Still not sure why it stopped working. Thank you!

Sweet, glad it fixed it for you.

jgro · Wed Jun 21, 2017 10:18 am

Thank you for this, David!

Curious why you use a loop:

:foreach i in=[/ip firewall address-list find ] \
   do={ :if ( [/ip firewall address-list get $i list] = "dynamicBlacklist" ) \
    do={ /ip firewall address-list remove $i } }

instead of

/ip firewall address-list remove [find list="dynamicBlacklist"]

On my system, the loop takes 88 seconds while the 1-liner takes 32 seconds
How does your blacklist compare with the one being provided by squidblacklist.org (which just combines spamhaus drop, edrop, dshield, malc0de, blocklist.de )?

msatter · Wed Jun 21, 2017 10:36 am

That is indeed an easier and faster way. Dave wrote about that earlier about using those lists: viewtopic.php?f=9&t=98804&p=545381&hilit=Drop#p545381

I tried the change in code and the removal of the addresses went from 37 seconds down to 20 seconds and the total time is now 48 seconds and before it was 66 seconds. So the save time when using almost 20.000 IP addresses is around 17 seconds.

msatter · Wed Jun 21, 2017 11:18 am

And some more info on how to reduce the traffic if RouterOS is supporting gzip/deflate: https://www.scalescale.com/tips/nginx/h ... mpression/

When I now use your site I get no get gzip on the application/octet-stream:

root@search:~# curl --header "Accept-Encoding: gzip,deflate,sdch" -I https://mikrotikfilters.com/updateBlacklist.rsc
HTTP/1.1 200 OK
Server: nginx
Date: Wed, 21 Jun 2017 08:11:29 GMT
Content-Type: application/octet-stream
Content-Length: 4141
Last-Modified: Thu, 01 Jun 2017 04:22:22 GMT
Connection: keep-alive
Keep-Alive: timeout=2
Accept-Ranges: bytes

When compression is active then the saving would be 95.7% and your transfer goes from 1.8MB to 78KB:

................./dynamic.txt is Compressed

Uncompressed Page Size: 1817.7 KB
Compressed Page Size: 77.8 KB
Savings: 95.7%

I see different data when downloading html or the dynamic.rsc when I test it on my own server:

Darn the whole bit below is obsolete because the things I though I could deduct, is bases on not cleared characters by RouterOS. The result is written on the same line as the line shown during transfer "-- [Q quit|D dump|C-z pause]" so I was mislead by what it seemed to state and I was looking for........GRRRRRRRRRRRRRRRR

[admin@MikroTik] > /tool fetch mode=http url=https://xxxx.xx/index.html
       status: finished
  downloaded: 0KiBC-z pause]
       total: 0KiB
    duration: 1s

[admin@MikroTik] > /tool fetch mode=http url=https://xxxx.xx/dynamic.rsc
      status: finished
  downloaded: 1817KiB pause]
       total: 1817KiB
    duration: 1s

I think that C-z in "0KiBC-z" stands for Compression gzip so it is there and now it is how to get that working for the .RSC

And a PDF also get -z but nu C:

[admin@MikroTik] > /tool fetch mode=http url=https://xxxxx.xx/files/xxxxxxx.pdf
      status: finished
  downloaded: 71KiB-z pause]
       total: 71KiB
    duration: 1s

[/i]

IntrusDave · Wed Jun 21, 2017 5:57 pm

The loop is to deal with older versions of RouterOS that would only remove the first item it found when using Find.

IntrusDave · Wed Jun 21, 2017 7:04 pm

The server does compress the content.... As seen by this compression test.

IntrusDave · Thu Jun 22, 2017 8:29 am

I think that C-z in "0KiBC-z" stands for Compression gzip so it is there and now it is how to get that working for the .RSC

the C-z means "Control-Z to Pause", not compressed-zip

jgro · Thu Jun 22, 2017 8:45 am

David, please consider including blocklist.de's block list. I've been using both your blocklist and the one from squidblacklist.org for a little bit and so far the only major difference is from blocklist.de. If you add that then I can drop squidblacklist.org.

 #    CHAIN                                             ACTION                            BYTES         PACKETS
 0  D ;;; special dummy rule to show fasttrack counters
      prerouting                                        passthrough                 205 064 681         238 851
 1    ;;; Attack from Intrus blocklist
      prerouting                                        drop                              8 846             206
 2    ;;; Attack from sbl malc0de
      prerouting                                        drop                                  0               0
 3    ;;; Attack from sbl dshield
      prerouting                                        drop                                 52               1
 4    ;;; Attack from sbl blocklist.de
      prerouting                                        drop                              3 309              42
 5    ;;; Attack from sbl spamhaus
      prerouting                                        drop                                  0               0

msatter · Thu Jun 22, 2017 9:33 am

I think that C-z in "0KiBC-z" stands for Compression gzip so it is there and now it is how to get that working for the .RSC
the C-z means "Control-Z to Pause", not compressed-zip

Hahahaha I know and on the moment I noticed that it was not funny because a lot of time went in. This is the part of my posting about it and what I put above it:

I see different data when downloading html or the dynamic.rsc when I test it on my own server:

Darn the whole bit below is obsolete because the things I though I could deduct, is bases on not cleared characters by RouterOS. The result is written on the same line as the line shown during transfer "-- [Q quit|D dump|C-z pause]" so I was mislead by what it seemed to state and I was looking for........GRRRRRRRRRRRRRRRR

Code: Select all

Chupaka · Thu Jun 22, 2017 10:02 am

The loop is to deal with older versions of RouterOS that would only remove the first item it found when using Find.

then consider using both =) first quickly remove for recent versions, then slow cleanup for older ones if necessary

IntrusDave · Thu Jun 22, 2017 4:40 pm

then consider using both =) first quickly remove for recent versions, then slow cleanup for older ones if necessary

I'll do that for the next release.

ilivlad · Thu Jun 22, 2017 6:19 pm

Hello!
Funny thing, when I run the script manually, it works, downloads the file and installs address entries but when scheduler runs it, it increases the run count but the script wont start.
I have other scripts running off scheduler without problems.

I have RB2011UiAS-2HnD, 6.39.2 (stable).

Screenshot from 2017-06-22 17-17-32.png

Screenshot from 2017-06-22 17-22-04.png

Deantwo · Fri Jun 23, 2017 12:06 pm

Minor typo in the 4th line.

##### Update your path, is you are using a USB Flash or other storage

I am thinking you meant to say "if you are using"

By the way, why is the default path "disk1/dynamic.rsc"?

Anyway, fun fun. I hadn't tried this before:

jun/23/2017 10:50:44 system,error,critical router was rebooted without proper shutdown
jun/23/2017 10:50:44 system,error,critical kernel failure in previous boot
jun/23/2017 10:50:44 system,error,critical out of memory condition was detected

My poor little RB750 doesn't seem to like it either way.

jun/23/2017 11:29:13 system,error,critical router was rebooted without proper shut
down by watchdog timer
jun/23/2017 11:42:31 system,error,critical router was rebooted without proper shut
down by watchdog timer

msatter · Sun Jun 25, 2017 1:36 am

Hi Dave, I have now completed the changed script after start-up/reboot of the router. As the dynamic address are all lost during reboot they don't have to be deleted.

In the updateBlacklist script I don't delete the dynamic.rsc file after importing so that they are still available after a new start-up/reboot. If the file does not exist then the normal updateBlacklist script is run so that the router is never without your dynamicBlacklist.

# Import Intrus Managed Filter Lists
# © 2016-2017 David Joyce, Intrus Technologies

##### DO NOT EDIT THE LINES BELOW ######
:local path "";
:local filename "dynamic.rsc"

##### Update your path, to where you have your storage
##### Examples: "disk1/"  or  "usb/" and the default is the temporary storage
#:local path "usb/"
:local path "disk1/"
:global datapath "$path$filename";
:delay 5;

##### Disable the log (We don't need 20k lines of adds and removes in the log
/system logging disable 0

##### Import the downloaded blacklist
:log warning "Importing saved file $datapath as dynamicBlacklist...";
:if ([:len [/file find name="$datapath"]] > 0) do={/import file-name="$datapath"};
:if ([:len [/file find name="$datapath"]] = 0) do={/system script run updateBlacklist};

##### Turn the logging back on
/system logging enable 0
:log warning "dynamicBlacklist $datapath imported.";

Update: reinserted

/system logging enable 0

so that logging is enabled again.

The :delay 5 is there because the router needs more time before reading the dynamic.rsc file.

vitorcsp · Sun Jun 25, 2017 3:16 am

Thanks!! Very good ...! i'll test in my RB450G

ronix · Sun Jun 25, 2017 10:30 am

it didn't work for me (CCR1016-12G)
error :
/tool fetch url="https://mikrotikfilters.com/updateBlacklist.rsc" mode=https;
status: failed

failure: connection timeout

msatter · Sun Jun 25, 2017 2:37 pm

Thanks!! Very good ...! i'll test in my RB450G

Thanks , however this has first have to be agreed, because Dave has also to change the original updateBlaclist so that dynamic.rsc is not erased after import. There can be a problem when the file is always President on devices with not much free space.

This version is safe as it looks if the quick start is available and then use that. If the quick start is not possible then it downloads the dynamic.rsc file and imports it.

I can't send Dave any kind of messages through the forum except by making posts. There is a button when I look at his profile but nothing happens when I click it.

IntrusDave · Mon Jun 26, 2017 6:32 pm

it didn't work for me (CCR1016-12G)
error :
/tool fetch url="https://mikrotikfilters.com/updateBlacklist.rsc" mode=https;
status: failed

failure: connection timeout

Connection Timout on that would imply that your IP may be blocked to start with.

IntrusDave · Mon Jun 26, 2017 6:39 pm

By the way, why is the default path "disk1/dynamic.rsc"?

because that is the default path of a USB or SATA drive. If the driver does not exist, it simply creates that path. This way the USB is used if it's there.

Anyway, fun fun. I hadn't tried this before:

jun/23/2017 10:50:44 system,error,critical router was rebooted without proper shutdown
jun/23/2017 10:50:44 system,error,critical kernel failure in previous boot
jun/23/2017 10:50:44 system,error,critical out of memory condition was detected

My poor little RB750 doesn't seem to like it either way.

jun/23/2017 11:29:13 system,error,critical router was rebooted without proper shut
down by watchdog timer
jun/23/2017 11:42:31 system,error,critical router was rebooted without proper shut
down by watchdog timer

I don't have any 32M units myself, but the blacklist stats show that 8 of them are currently pulling the list. It looks like it was a bad weekend for botnets as the list grew to 21,000 items. it may simply be too much for the smallest of routers.

IntrusDave · Mon Jun 26, 2017 7:05 pm

David, please consider including blocklist.de's block list. I've been using both your blocklist and the one from squidblacklist.org for a little bit and so far the only major difference is from blocklist.de. If you add that then I can drop squidblacklist.org.

Done.

IntrusDave · Mon Jun 26, 2017 9:03 pm

I rewrote the backend this morning. It now takes all of the sources and purges the /32's into the their corresponding subnet, if it is listed. it cut the size by 50%. it was in the 42,000 range, now back down to 21,000.

IntrusDave · Tue Jun 27, 2017 8:56 pm

Updated the script with the recommended remove code. It appears to speed the update process by 38~75 seconds on most routers.

msatter · Wed Jun 28, 2017 12:42 am

Thanks Dave for the update and looking at the code and that you told that older equipment only removed one line when using the modern method. I thought why not use that as an advantage and combine the old and new method into this:

##### Find the "dynamicBlacklist" entries and remove them
:while ([/ip firewall address-list find list="dynamicBlacklist"] != "") do={ /ip firewall address-list remove [find list="dynamicBlacklist"]};

The modern equipment only execute the command once and the older quipment would repeat it until there are no more dynamicBlacklist entries.

Replaces this:

##### Find the "dynamicBlacklist" entries and remove them
:log warning "Removing expiring address-list entries...";
/ip firewall address-list remove [find list="dynamicBlacklist"]

##### Remove again - Some older RouterOS versions wont catch them all with the above line.
:foreach i in=[/ip firewall address-list find ] \
   do={ :if ( [/ip firewall address-list get $i list] = "dynamicBlacklist" ) \
    do={ /ip firewall address-list remove $i } }

I can't test it on old equipment so I don't know if is even slower than the :foreach or that it does even work that way on the old stuff.

IntrusDave · Wed Jun 28, 2017 1:06 am

That looks like a nice clean solution. I'll test it out on the gear I have and then update the code. Thanks!

IntrusDave · Wed Jun 28, 2017 2:12 am

So far so good. Doesn't help the low end units much.
a quick test...

RB2011 - 123 seconds
CCR1016 - 25 seconds
RB1100AHx4 - 20 seconds
RB3011 - 33 seconds

....WOW! The new RB1100AHx4 is faster than a 16 core CCR.

msatter · Wed Jun 28, 2017 3:09 am

I expected a little improvement on the lower units because there is less code to execute. It excellent news that the older units can work with the code combined to one. Makes it all simpler and it fits in one line.

Lets hope it will work in all units and the list is growing fast lately and the list is over 25000 entries tonight.

amt · Wed Jun 28, 2017 8:35 am

thanks dave,
I updated code and working good..

msatter · Wed Jun 28, 2017 12:31 pm

I am testing a more flexible way to update however it seems that I am now throttled by the server. This is no problem however it does not throttle but gives a modified dynamic.rsc which reads:

:log error "Blacklist is updated at 10:00:00 UTC. Please update only once per day."
:log error "You have updated 7 times is the last 24 hours."
:log error "You will be able to update again in 24 hours."
 :for i from=1 to=3 step=1 do={
 :beep frequency=550 length=494ms;
   :delay 494ms;
   :beep frequency=400 length=494ms;
   :delay 494ms;
 }

The lines above is not show in the log and the present dynamicblacklist is removed. This leaves the router without the protection of your list.

Update: to avoid removing the present dynamicBlacklist if there is a throttle file downloaded:

##### Disable the log (We don't need 20k lines of adds and removes in the log
:log warning "Disabling info logging...";
/system logging disable 0

#### Get size of the downloaded file
:local fileSize [/file get [ find where name=$datapath] value-name=size];

##### Find the "dynamicBlacklist" entries and remove them
:if ($fileSize > 1000) do={:log warning "Removing expiring address-list entries..."} else={:log error "Using the old Blacklist. Look for info about this error in the log underneath."};
:if ($fileSize > 1000) do={:while ([/ip firewall address-list find list="dynamicBlacklist"] != "") do={ /ip firewall address-list remove [find list="dynamicBlacklist"]}};

##### Import the downloaded blacklist
:if ($fileSize > 1000) do={:log warning "Importing current Blacklist..."};
/import file-name="$datapath";

##### Find and remove the downloaded file
:log warning "Removing temp file...";
/file remove [find name=$datapath]

##### Turn the logging back on
:if ($fileSize > 1000) do={:log warning "Blacklist Update Complete."};
/system logging enable 0

I have taken the liberty to include the promising new remove code of the current dynamicBlacklist

jgro · Wed Jun 28, 2017 2:40 pm

David, please consider including blocklist.de's block list. I've been using both your blocklist and the one from squidblacklist.org for a little bit and so far the only major difference is from blocklist.de. If you add that then I can drop squidblacklist.org.
Done.

Thank you!

Unfortunately, it seems like you didn't get the same list as SBL (squidblacklist.org) uses, or you didn't merge the lists correctly. I've been tracking dropped packets by list, and I'm still seeing about 1 dropped packet from SBL's "blocklist.de" list for every 4 from your dynamicBlacklist. (I'm also seeing more hits from dshield, but that may just be a coincidence.) Please look into it when you have a chance.

IntrusDave · Wed Jun 28, 2017 7:49 pm

That could be just the update timing. Currently, my list collects the data a 5am PST and rebuilds then. several of the sources also rate limit, but I may be able to push it and rebuild it ever 6 hours. that may keep them more in sync.

Okay, I changed the cron job to run every 6 hours.

IntrusDave · Wed Jun 28, 2017 8:44 pm

I updated both the server and script to correct for the notification not displaying. I also changed the script so that the previous entries are not removed if the throttling kicks in. I would love to NOT have to throttle, but several people have set up their units to update every 5 minutes. at 2M each download multiplied by 40ish routers, every 5 minutes... Those routers were pulling 23G every day.

List is still dynamic and expires after 25 hours. This is to prevent false positives from hurting things for more than a day. (Some people were updating one a week, and complaining that false positives were not being removed quick enough)

msatter · Wed Jun 28, 2017 9:34 pm

I just ran to often the update so I got throttled and that is not a problem for me. I had to see what is happening and I adapted the script on my side to it and posted it here for you to see.
The messages in the error dynamic.rsc worked later and I incorporated that in my posting so that a clear message was left behind in the log and that not the blacklist was wiped before expiration time.

I now see why you are hesitant to keep the dynamic.rsc for a fast import on reboot despite it will be replaced by the next scheduled import. I wanted to combine the start-up schedule and the normal refresh schedule so that less administration is needed to setup and maybe the administration part can be automated depending on what kind of storage device is used.

Update: There goes the plan to have only one schedule: If interval is set to value other than 0 scheduler will not run at startup.

IntrusDave · Wed Jun 28, 2017 9:58 pm

That's why I have always had two scheduled tasks. One for Startup and one every 24 hours.

msatter · Wed Jun 28, 2017 11:13 pm

Hi Dave,

So I have updated the start-up schedule so that dynamic.rsc files older than one day are not imported from flash/disk1/usb and the normal updateBlacklist script is run.

# Import Intrus Managed Filter Lists
# © 2016-2017 David Joyce, Intrus Technologies

##### DO NOT EDIT THE LINES BELOW ######
:local path "";
:local filename "dynamic.rsc"

##### Update your path, to where you have your storage
##### Examples: "disk1/"  or  "usb/" and the default is the temporary storage
#:local path "usb/"
:local path "disk1/"
:global datapath "$path$filename";

##### Delay for 10 seconds to allow the WAN to come online after a reboot
:delay 10;

##### Disable the log (We don't need 20k lines of adds and removes in the log
/system logging disable 0

# Declaring and filling the date1 and date2 variable for calculating the time difference
:global globalDaysDiff
:local time [/system clock get time];
:local date [/system clock get date];
:global date2 ("$date" . " " . "$time");
:global date1 [/file get [ find where name=$datapath] value-name=creation-time];

# This script calculates difference between two dates
/system script run diffDate

##### Import the downloaded blacklist
:log warning "Importing saved file $datapath as dynamicBlacklist...";
 :if ([:len [/file find name="$datapath"]] > 0) do={:if ($globalDaysDiff != 0) do={:log error "dynamicBlacklist $datapath to old for fast import."} else={/import file-name="$datapath"}};

# Download Blacklist if there is no dynamic.rsc present 
:if ([:len [/file find name="$datapath"]] = 0) do={/system script run updateBlacklist};

##### Turn the logging back on
/system logging enable 0
:if ([:len [/file find name="$datapath"]] != 0) do={:log warning "dynamicBlacklist $datapath imported."} else={:log error "Nothing happened and no protection by dynamicBlacklist provided!"};

Next the script diffDate that calculates the needed difference between the creation date of dynamic.rsc and the current time:

       ### calculate diff between two dates - yoan tanguy 2017

# format: :global date1 "jan/05/2017 10:00:00";:global date2 "may/15/2018 12:30:00";/system script run diffDate

       
       # expected date format : month/day/year hours:minutes:seconds (ex: mar/14/2017 09:13:54)
       :global date1
       :global date2
       
       
       # date to array format :
       # m a r / 1 4 / 2 0 1 7     0  9  :  1  3  :  5  4
       # 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19
       :local date1month [:pick $date1 0 3]
       :local date1day [:pick $date1 4 6]
       :local date1year [:pick $date1 7 11]
       :local date1hours [:pick $date1 12 14]
       :local date1minutes [:pick $date1 15 17]
       :local date1seconds [:pick $date1 18 20]
       
       :local date2month [:pick $date2 0 3]
       :local date2day [:pick $date2 4 6]
       :local date2year [:pick $date2 7 11]
       :local date2hours [:pick $date2 12 14]
       :local date2minutes [:pick $date2 15 17]
       :local date2seconds [:pick $date2 18 20]
       
       
       # month to decimal converter - https://forum.mikrotik.com/viewtopic.php?t=58674
       :local months ("jan","feb","mar","apr","may","jun","jul","aug","sep","oct","nov","dec");
       :set date1month ([:find $months $date1month -1 ] + 1)
       :set date2month ([:find $months $date2month -1 ] + 1)
       
       
       :global globalDiff 
       :local yearDiff ($date2year - $date1year)
       :local monthDiff ($date2month - $date1month)
       :local dayDiff ($date2day - $date1day) 
       :local hoursDiff ($date2hours - $date1hours)
       :local minutesDiff ($date2minutes - $date1minutes)
       :local secondsDiff ($date2seconds - $date1seconds)
       
       
       # handle diff by converting in seconds, avoid negative hours/minutes/seconds (ex: jan/01/1970 09:00:00, jan/02/1970 08:00:00 must give 0 days 23:00:00 and not 1 days 0-1:00:00)
       # 1 days 23:30:10
       # 1*24*60*60 + 23*60*60 + 30*60 + 10
       # ($dayDiff * 24*60*60) + ($hoursDiff * 60*60) + ($minutesDiff *60) + $secondsDiff
       # ($dayDiff * 86400) + ($hoursDiff * 3600) + ($minutesDiff *60) + $secondsDiff
       :local secondsGlobalDiff
       :set secondsGlobalDiff (($dayDiff * 86400) + ($hoursDiff * 3600) + ($minutesDiff *60) + $secondsDiff)
       :set dayDiff ($secondsGlobalDiff / 86400)
       :set secondsGlobalDiff ($secondsGlobalDiff - ($dayDiff * 86400))
       :set hoursDiff ($secondsGlobalDiff / 3600)
       :set secondsGlobalDiff ($secondsGlobalDiff - ($hoursDiff * 3600))
       :set minutesDiff ($secondsGlobalDiff / 60)
       :set secondsGlobalDiff ($secondsGlobalDiff - ($minutesDiff * 60))
       :set secondsDiff $secondsGlobalDiff
       
       
       # check if date1 is older than date2 to avoid errors in calculation
       if ($yearDiff < 0) do={
           :return "error : date1 should be older that date2 (year check), exiting"
       } else={
           if ($yearDiff = 0) do={
               if ($monthDiff <0) do={
                   :return "error : date1 should be older that date2 (month check), exiting"
               } else={
                   if ($monthDiff = 0) do={
                       if ($dayDiff < 0) do={
                           :return "error : date1 should be older that date2 (day check), exiting"
                       } else={
                           if ($dayDiff = 0) do={
                               if ($hoursDiff < 0) do={
                                   :return "error : date1 should be older that date2 (hours check), exiting"
                               } else={
                                   if ($hoursDiff = 0) do={
                                       if ($minutesDiff < 0) do={
                                           :return "error : date1 should be older that date2 (minutes check), exiting"
                                       } else={
                                           if ($minutesDiff = 0) do={
                                               if ($secondsDiff < 0) do={
                                                   :return "error : date1 should be older that date2 (seconds check), exiting"
                                               }
                                           }
                                       }
                                   }
                               }
                           }
                       }
                   }
               }
           }
       }          
       
       
       # check if leap years - https://wiki.mikrotik.com/wiki/AutomatedBilling/MonthEndScript
       :local isYear1Leap 0
       :local isYear2Leap 0
       if ((($date1year / 4) * 4) = $date1year) do={
           :set isYear1Leap 1
       }
       if ((($date2year / 4) * 4) = $date2year) do={
           :set isYear2Leap 1
       }
       
       
       # find the right amount of days between 2 months
       :local daysInEachMonth ("31","28","31","30","31","30","31","31","30","31","30","31");
       :local daysInEachMonthLeapYear ("31","29","31","30","31","30","31","31","30","31","30","31");
       :local totalDaysBetweenMonths
       
       # same year; yearDiff = 0 so year1 = year2
       if ($yearDiff = 0 and $monthDiff >= 1) do={
           if ($isYear1Leap = 0) do={         
               for month from=($date1month - 1) to=($date2month - 1) step=1 do={
                   :set totalDaysBetweenMonths ($totalDaysBetweenMonths + [:pick $daysInEachMonth $month])
               }
           }
           if ($isYear1Leap = 1) do={
               for month from=($date1month - 1) to=(($date2month - 1) - 1) step=1 do={
                   :set totalDaysBetweenMonths ($totalDaysBetweenMonths + [:pick $daysInEachMonthLeapYear $month])
               }
           }
       }
       
       # different year, make concatenation of daysInEachMonth arrays first
       :local daysInEachMonthConcatenatedYears
       if ($yearDiff >= 1) do={
       
           for year from=$date1year to=$date2year step=1 do={
               # if leap year, concatenate the right daysInEachMonth array
               if ((($year / 4) * 4) = $year) do={
                   :set daysInEachMonthConcatenatedYears ($daysInEachMonthConcatenatedYears, $daysInEachMonthLeapYear)
               } else={
                   :set daysInEachMonthConcatenatedYears ($daysInEachMonthConcatenatedYears, $daysInEachMonth)
               }
           }
           
           # must add years count 
           for month from=($date1month - 1) to=(($date2month - 1)  + (($yearDiff * 12) - 1)) step=1 do={
               :set totalDaysBetweenMonths ($totalDaysBetweenMonths + [:pick $daysInEachMonthConcatenatedYears $month])
           }
       }
       
       :global globalDaysDiff ($totalDaysBetweenMonths + $dayDiff)
       
       
       # add leading zeros if necessary
       :if ($hoursDiff < 10) do={
           :set hoursDiff ("0" . $hoursDiff)
       }
       :if ($minutesDiff < 10) do={
           :set minutesDiff ("0" . $minutesDiff)
       }
       :if ($secondsDiff < 10) do={
           :set secondsDiff ("0" . $secondsDiff)
       } 
       :local d "d"
       :set globalDiff "$globalDaysDiff$d$hoursDiff:$minutesDiff:$secondsDiff"
       :put $globalDiff

So now maybe you can consider to keep the dynamic.rsc between updates and so avoid traffic by rebooting devices and people that run the update script every 5 minutes. The update script would than be updated with the same code and will warn people that they are wearing out their memory by those obsolete updates.

For other users of the script please wait until Dave had his say about this and wait for his updates and do not use this code unless you know what you are doing!!

jgro · Thu Jun 29, 2017 3:05 am

Hi Dave,

So I have updated the start-up schedule so that dynamic.rsc files older than one day are not imported from flash/disk1/usb and the normal updateBlacklist script is run.

I think you need to check that you have a reliable date in the first place. It can be a while between boot up and acquiring the current date and time. I would not count on a simple delay being enough, I would sanity check the date.

IntrusDave · Thu Jun 29, 2017 7:30 am

I think you need to check that you have a reliable date in the first place. It can be a while between boot up and acquiring the current date and time. I would not count on a simple delay being enough, I would sanity check the date.

I second that. If I've learned anything about RouterOS, it's that you can NOT trust the date and time at boot. I have several routers that take up to 20 minutes before the time is synced correctly.

As for bandwidth, it's not an issue for me. I have a gigabit connection with no metering. The router throttles each incoming IP to 100mbps. Also, the server compresses the list when it sends it, so it's typically only a few hundred kb. Also, I don't want to store the 2~4mb list on the flash because some of the units out there only have 16M and even then, those only normally have about 5M free. This leaves no room for updates. BUT - you are welcome to change the script in anyway you like, I just ask that the fetch isn't changed.

Actually, I was thinking of collecting Total and Free disk space - but I'm not sure how people will feel about that. I wonder if I can make a poll on the forum...

msatter · Thu Jun 29, 2017 11:52 am

I am taking the time of the file that is downloaded by daily updateBlacklist so that is constant. Indeed the current time is a problem if it is not current.

About the compression by the server. I tested it by my own server and I did not see the device using compression and I have to look with Wireshark if that is also the case with your server.

The flash I had already a routine for to not keep the dynamic.rsc for those flash devices and it can be overruled by and variable set by user to ignore that and keep the dynamic.rsc anyway. I did not put that in this version.

I am going to look if the code can be more streamlined because I have the impressing I am doing thing twice.

msatter · Thu Jun 29, 2017 12:34 pm

Mikrotik thought of the problem and came up with a solution:

Since v6.16 the current time is saved in the system configuration on reboot and on clock adjustment and is used to set the initial time after reboot.
Benefits:
Router doesn't need direct access to internet and public NTP servers
Allow control of a primary source of clock for your router on only two main routers (primary and secondary)
It can reduce traffic and the load of some public NTP servers by local time caching

Source: https://wiki.mikrotik.com/wiki/Setup_local_NTP_servers

We are thinking here in days not minutes and seconds to decide if a file should be declared outdated. We catching reboots and but also devices set to a higher scheduled update than a day.
Starts of a device can lead to false positives but that will be corrected on the next scheduled run of updateBlacklist.

Still to do flash only devices and automatic recognize flash (default), disk1 or USB. Check if scheduled can be imported set to time of 10 UTC + random time for spreading the load the server.

I have sent support a mail for clarification, on if fetch support deflate/compress and do use that advantage?

Update: I have tested it again and despite the site that checks if the connection is compressed gives an OK on the file the Mikrotik does not use it. I have forced the file to be transmitted compressed by Apache but the Mikrotik did not decompress it.

msatter · Thu Jun 29, 2017 4:37 pm

To automatic select the location for dynamic.rsc can be archived with the following code:

:if ([:len [/file find name="flash"]] != 0) do={set datapath "dynamic.rsc"};
:if ([:len [/file find name="disk1"]] != 0) do={set datapath "disk1/dynamic.rsc"};
:if ([:len [/file find name="disk2"]] != 0) do={set datapath "disk2/dynamic.rsc"};
:if ([:len [/file find name="disk3"]] != 0) do={set datapath "disk3/dynamic.rsc"};
:if ([:len [/file find name="usb"]] != 0) do={set datapath "usb/dynamic.rsc"};
:log info "Default location for Blacklist is: $datapath";

Extended with a check on free space and the minimal free space is 3MB to be selected.

:if ([:len [/file find name="flash"]] != 0)  do={:if ([/system resource get free-hdd-space] > 3000000)  do={set datapath "dynamic.rsc"}};
:if ([:len [/file find name="disk1"]] != 0) do={:if ([/disk get [ find where name="disk1"] value-name=free] > 3000000) do={set datapath "disk1/dynamic.rsc"}};
:if ([:len [/file find name="disk2"]] != 0) do={:if ([/disk get [ find where name="disk2"] value-name=free] > 3000000) do={set datapath "disk2/dynamic.rsc"}};
:if ([:len [/file find name="disk3"]] != 0) do={:if ([/disk get [ find where name="disk3"] value-name=free] > 3000000) do={set datapath "disk3/dynamic.rsc"}};
:if ([:len [/file find name="usb"]] != 0) do={:if ([/disk get [ find where name="usb"] value-name=free] > 3000000) do={set datapath "usb/dynamic.rsc"}};
:log info "Default save locationwith 3MB free  for Blacklist is: $datapath";

The Blacklist has become very long but it works and can say that every minute at least one or more block are made by the list on my Mikrotik.

msatter · Fri Jun 30, 2017 2:00 am

Result from today's Blacklist is 1808 packets caught by the list and above that one I filter connection made to services that I don't have and that were 1474 packets. So in total almost 3300 unwanted connections in one day and four hours. Most of the Blacklist packages came for port 25 to deliver unwanted stuff, so Spamassin is having now a kind of vacation.

msatter · Fri Jun 30, 2017 11:14 am

Collecting how many packets are blocked by the Blacklist:

#### Share how many packets are blocked by the Blacklist on your device
:local filterdownBlacklist "0";
:local rawdownBlacklist "0";
:local filterupBlacklist "0";
:local rawupBlacklist "0";

##### downstream
:if ([:len [/ip firewall filter find src-address-list="dynamicBlacklist"]] != 0)  do={set filterdownBlacklist [/ip firewall filter get [ find src-address-list="dynamicBlacklist"] packets]}  else={set filterdownBlacklist "0"};
:if ([:len [/ip firewall filter find src-address-list="dynamicBlacklist"]] != 0)  do={/ip firewall filter reset-counters numbers=[find src-address-list="dynamicBlacklist"]};
:if ([:len [/ip firewall raw find src-address-list="dynamicBlacklist"]] != 0)  do={set rawdownBlacklist [/ip firewall raw get [ find src-address-list="dynamicBlacklist"] packets]} else={set rawdownBlacklist "0"};
:if ([:len [/ip firewall raw find src-address-list="dynamicBlacklist"]] != 0)  do={/ip firewall raw reset-counters numbers=[find src-address-list="dynamicBlacklist"]};

##### upstream
:if ([:len [/ip firewall filter find dst-address-list="dynamicBlacklist"]] != 0)  do={set filterupBlacklist [/ip firewall filter get [ find dst-address-list="dynamicBlacklist"] packets]}  else={set filterupBlacklist "0"};
:if ([:len [/ip firewall filter find dst-address-list="dynamicBlacklist"]] != 0)  do={/ip firewall filter reset-counters numbers=[find dst-address-list="dynamicBlacklist"]};
:if ([:len [/ip firewall raw find dst-address-list="dynamicBlacklist"]] != 0)  do={set rawupBlacklist [/ip firewall raw get [ find dst-address-list="dynamicBlacklist"] packets]} else={set rawupBlacklist "0"};
:if ([:len [/ip firewall raw find dst-address-list="dynamicBlacklist"]] != 0)  do={/ip firewall raw reset-counters numbers=[find dst-address-list="dynamicBlacklist"]};

#### Begin download of current blacklist
:log warning "Downloading current Blacklist for model $model $ver";
/tool fetch mode=https dst-path="$datapath" \
   url="https://mikrotikfilters.com/download.php?get=dynamic&model=$model&version=$ver&memory=$memory&id=$name&ver=$scriptVer&softid=$softid&filterdown=$filterdownBlacklist&rawdown=$rawdownBlacklist&filterup=$filterupBlacklist&rawup=$rawupBlacklist";

After collecting the numbers, each packets counter in Filters and RAW are reset to zero. In this way you won't get double countings on the next update of the Blacklist.

.....done enough for now and going to do other things.

....added later the upstream so that is also counted..............

IntrusDave · Fri Jun 30, 2017 5:53 pm

Today’s update is going to be huge. Not sure when I will push it it out though. I am rewriting the backend that builds the list. I will be pushing out 3 lists soon.

Small - about 750kb - intended for home users
Standard - about 2M - intended for businesses
Full - about 14M - intended for internet servers

Admins will need to choose wisely as the full list will fill the drive on many units and will cause out of memory panics on the small units.

The full list is currently about 114,000 entries. It pulls from many more sources and i would recommend building a whitelist for use with it as you may end up locked out or remote management if you are on a home IP.

The standard is what we have been using.

The small will average about 7000 to 8000 subnets and ips. Primarily C&C and botnets.

The new script will allow you to select the list you want.

Chupaka · Fri Jun 30, 2017 6:01 pm

were there thoughts about BGP feed?..

IntrusDave · Fri Jun 30, 2017 7:04 pm

were there thoughts about BGP feed?..

Too much work

IntrusDave · Sat Jul 01, 2017 3:25 am

The new backend and script are live. Make sure you read the comments and select the correct script for your router.
*** DO NOT SELECT THE LARGE LIST FOR ROUTERS WITH LESS THAN 20M FREE DISK OR LESS THAN 256M Memory! ***

Recommendation:

Routers with 32M~128M memory - "small" list
Routers with 256M~512M memory - "medium" list
Routers with 1G memory and up - "large" list

msatter · Sat Jul 01, 2017 10:32 am

The new backend and script are live. Make sure you read the comments and select the correct script for your router.
*** DO NOT SELECT THE LARGE LIST FOR ROUTERS WITH LESS THAN 20M FREE DISK OR LESS THAN 256M Memory! ***

Recommendation:

Routers with 32M~128M memory - "small" list
Routers with 256M~512M memory - "medium" list
Routers with 1G memory and up - "large" list

Thanks for your great work! I had to make a minor correction to version 2017.7.1d, and propose a modification to give more info to the person who is checking the log.

#### Select your list size ####
#### large - 10 to 20 Megabyte download - 100k+ entries - intended for firewalls protecting internet servers
#### medium - 2 to 5 Megabyte download - 40k+ entries - intended for corporate networks
#### small - 200 to 700 Kilobyte download - 2k+ entries - intended for networks with no open ports

#### Begin download of current blacklist
:log warning "Downloading current $listSize sized Blacklist for this model";
/tool fetch mode=https dst-path="$datapath" \
url="https://mikrotikfilters.com/download.ph ... id=$softid";
:local fileSize [/file get [ find where name=$datapath] value-name=size];

eddieb · Sat Jul 01, 2017 10:37 am

Collecting how many packets are blocked by the Blacklist:

#### Share how many packets are blocked by the Blacklist on your device
:local filterBlacklist "0";
:local rawBlacklist "0";

:if ([:len [/ip firewall filter find src-address-list="dynamicBlacklist"]] != 0)  do={set filterBlacklist [/ip firewall filter get [ find src-address-list="dynamicBlacklist"] packets]}  else={set filterBlacklist "0"};
:if ([:len [/ip firewall filter find src-address-list="dynamicBlacklist"]] != 0)  do={/ip firewall filter reset-counters numbers=[find src-address-list="dynamicBlacklist"]};
:if ([:len [/ip firewall raw find src-address-list="dynamicBlacklist"]] != 0)  do={set rawBlacklist [/ip firewall raw get [ find src-address-list="dynamicBlacklist"] packets]} else={set rawBlacklist "0"};
:if ([:len [/ip firewall raw find src-address-list="dynamicBlacklist"]] != 0)  do={/ip firewall raw reset-counters numbers=[find src-address-list="dynamicBlacklist"]};

#### Begin download of current blacklist
:log warning "Downloading current Blacklist for model $model $ver";
/tool fetch mode=https dst-path="$datapath" \
   url="https://mikrotikfilters.com/download.php?get=dynamic&model=$model&version=$ver&memory=$memory&id=$name&ver=$scriptVer&softid=$softid&filter=$filterBlacklist&raw=$rawBlacklist";

After collecting the numbers, each packets counter in Filters and RAW are reset to zero. In this way you won't get double countings on the next update of the Blacklist.

Hi, interesting scripting ...
I tried it as a separate script in the following way :

#### Share how many packets are blocked by the Blacklist on your device
:local filterBlacklist "0";
:local rawBlacklist "0";

:if ([:len [/ip firewall filter find src-address-list="dynamicBlacklist"]] != 0)  do={set filterBlacklist [/ip firewall filter get [ find src-address-list="dynamicBlacklist"] packets]}  else={set filterBlacklist "0"};
:if ([:len [/ip firewall filter find src-address-list="dynamicBlacklist"]] != 0)  do={/ip firewall filter reset-counters numbers=[find src-address-list="dynamicBlacklist"]};
:if ([:len [/ip firewall raw find src-address-list="dynamicBlacklist"]] != 0)  do={set rawBlacklist [/ip firewall raw get [ find src-address-list="dynamicBlacklist"] packets]} else={set rawBlacklist "0"};
:if ([:len [/ip firewall raw find src-address-list="dynamicBlacklist"]] != 0)  do={/ip firewall raw reset-counters numbers=[find src-address-list="dynamicBlacklist"]};

:log warning "Count filterBlacklist=$filterBlacklist rawBlacklist=$rawBlacklist";

BUT the counters are NOT reset and the log displays zeroes ...

any suggestions ?

msatter · Sat Jul 01, 2017 10:55 am

Hi, interesting scripting ...
I tried it as a separate script in the following way :
Code: Select all
:log warning "Count filterBlacklist=$filterBlacklist rawBlacklist=$rawBlacklist";
BUT the counters are NOT reset and the log displays zeroes ...

any suggestions ?

Try:

:log warning "Count filterBlacklist= $filterBlacklist rawBlacklist= $rawBlacklist";

yes, scripting in the Mikrotik is a PITA. I have that experienced that enough in the last week.

I have also updated the script to catch the upstream blocks: viewtopic.php?f=9&t=98804&p=605898#p605796 and the variable names changed accordingly.

eddieb · Sat Jul 01, 2017 11:00 am

tnx,

scripting can be a pain, sometimes it just does not work ...

Count filterBlacklist=0 rawBlacklist=30

it works

msatter · Sat Jul 01, 2017 11:14 am

tnx,

scripting can be a pain, sometimes it just does not work ...
Code: Select all
Count filterBlacklist=0 rawBlacklist=30
it works

This only for private use on the moment and if you only want to know the score remove the reset lines. When Dave is ready for more statistics then he can implement it.

I am still thinking about how to extrapolate the data when a there was a router reset in that period.

msatter · Sun Jul 02, 2017 11:49 am

So thinking on collection more information about the effectiveness of the Blacklist you can also collect the gmt-offset from /system clock so that you can see in which time zone the data is collected.

To get a idea how the effectiveness of Blacklist is between the previous download and the new download packets numbers could be collected every hour. Your can then see how the degradation is of the Blacklist and if there is a significant degradation decide to increase or decrease the updates. These should be only the downstream (incoming) figures and not the more private sensitive info of the upstream (outgoing). This can also, be a consideration with collecting the 24 hour data were I wrote about earlier.

:local timeOffset  [/system clock get value-name=gmt-offset];

The output is 7200 seconds so that is +2 hours in my case.

To get the only one or two variable(s) for the 48 (filter+raw) numbers to be transferred separately you can concatenate them in one or two strings so that you can transfer it when you collecting technical data of the router.

msatter · Sun Jul 02, 2017 6:12 pm

To collect and save the data so that it can survive a reboot an hourly script can be scheduled that executes the following script:

##### Read the save statistics
/import file blacklist.rsc
:global statsFilterBlacklist;
:global statsRAWBlacklist

##### Get current time and set filename to keep statistics
:local date [/system clock get date];
:local time [/system clock get time];
:local filename "blacklist.rsc";

##### Collect and reset packet counters
:if ([:len [/ip firewall filter find src-address-list="dynamicBlacklist"]] != 0)  do={set filterdownBlacklist [/ip firewall filter get [ find src-address-list="dynamicBlacklist"] packets]}  else={set filterdownBlacklist "0"};
:if ([:len [/ip firewall filter find src-address-list="dynamicBlacklist"]] != 0)  do={/ip firewall filter reset-counters numbers=[find src-address-list="dynamicBlacklist"]};
:if ([:len [/ip firewall raw find src-address-list="dynamicBlacklist"]] != 0)  do={set rawdownBlacklist [/ip firewall raw get [ find src-address-list="dynamicBlacklist"] packets]} else={set rawdownBlacklist "0"};
:if ([:len [/ip firewall raw find src-address-list="dynamicBlacklist"]] != 0)  do={/ip firewall raw reset-counters numbers=[find src-address-list="dynamicBlacklist"]};

#### Build new stats string
:local newStatsFilterBlacklist "$statsFilterBlacklist" . " " . "$filterdownBlacklist";
:local newStatsRAWBlacklist "$statsRAWBlacklist" . " " . "$rawdownBlacklist";
:local newStatDate ("$date" . " " . "$time");

:local writeString ":global $lastStatDate;" . ":global statsFilterBlacklist $newStatsFilterBlacklist;" . " " . ":global statsRAWBlacklist "$StatsRAWBlacklist";

/file set $filename content=$writeString;

Some thoughts. This script can possible collide with the updateBlacklist script and to notice that the blacklist.rsc can be deleted on reading for sending. This script should not execute on that instance and a new blacklist.rsc should be recreated with time plus the two strings without any numbers in it.

Example of the blacklist.rsc statiscs file:

:global lastStatDate "jul/02/2017 15:49:19"; :global statsFilterBlacklist "1 2 3 4 5 6 7 8 9"; :global statsRAWBlacklist "0 9 8 7 6 5 4 3 2 1";

The file supplies the last sample date and time and maybe a the gmt-offset can sync the data with other available data already in the database.

I have not tested the code so please check on syntax and typing errors.

jgro · Mon Jul 03, 2017 5:24 am

I have modified the scripts in a few ways and am publishing the modified scripts here for whoever wants them. @IntrusDave is welcome to incorporate them into his script or not.

Renamed globals so as not to interfere with other scripts
Added lots of error handling and corresponding error logging
Keep downloaded list for reinstall after reboot
Split script into 2 scripts, a download script and an install script, so I can just run the install script at boot time
Formatted for 1 statement per line, 2 space indent per block

Note that because the scripts use globals to communicate, they need policy permission in addition to the read, write, and test permissions that IntrusDave's script needs.

The update script downloads the list and calls the install script if successful:

# https://forum.mikrotik.com/viewtopic.php?f=9&t=98804

# Import Intrus Managed Filter Lists
# CUSTOMIZED by jgro, different globals, do not simply replace with update from Intrus
# © 2016-2017 David Joyce, Intrus Technologies

##### Update your path, is you are using a USB Flash or other storage
##### Examples:
##### "disk1/dynamic.rsc"  or  "usb/dynamic.rsc"  or  "dynamic.rsc"

:global intrusPath  "disk1/dl/dynamic.rsc"

#### Select your list size ####
#### large - 10 to 20 Megabyte download - 100k+ entries - intended for firewalls protecting internet servers
#### medium - 2 to 5 Megabyte download - 40k+ entries - intended for corporate networks
#### small - 200 to 700 Kilobyte download - 2k+ entries - intended for networks with no open ports

:local listSize "medium"


###### DO NOT EDIT BELOW THIS POINT ######

##### Delay for 10 seconds to allow the WAN to come online after a reboot
#:log warning "Blacklist update in 10 seconds";
#:delay 10

##### Pull info to report to the server, used to download the correct list as well as stats collecting
##### software ID is used as the unique ID on the server side, this allows us to identify different 
##### routers behind a NAT router. Please do not remove it.
:local model    [/system resource get board-name]
:local version   [/system resource get version]
:local memory   [/system resource get total-memory]
:local uname   [/system identity get name]
:local softid        [/system license get software-id]

:if ($model = "CHR") do={
  :local temp [/system license get system-id]
  :for i from=0 to=([:len $temp] - 1) do={ 
     :local char [:pick $temp $i]
     :if ($char = "/") do={ :set $char "-" }
     :set softid ($softid . $char)
   }
}
:if ($model !="CHR") do={
  :global softid [/system license get software-id]
}

:local scriptVer   2017.7.1d

##### Scrub the device name and version to prevent http errors
:local name ""
:local ver ""

:for i from=0 to=([:len $uname] - 1) do={ 
  :local char [:pick $uname $i]
  :if ($char = " ") do={ :set $char "%20" }
  :set name ($name . $char)
}

:for i from=0 to=([:len $version] - 1) do={ 
  :local char [:pick $version $i]
  :if ($char = " ") do={
    :set $char "%20"
  }
  :set ver ($ver . $char)
}

#### Begin download of current blacklist
:local fileSize
:log warning "Downloading current Intrus dynamicBlacklist for this model";
:do {
  :do { 
    /tool fetch mode=https dst-path="$intrusPath" \
     url="https://mikrotikfilters.com/download.php?get=$listSize&model=$model&version=$ver&memory=$memory&id=$name&ver=$scriptVer&softid=$softid";

    :set fileSize [/file get [ find where name=$intrusPath] value-name=size];
    :if ($fileSize < 500) do={
      :log error "IntrusBL download is too small"
      :error "IntrusBL download is too small"
    }
  } on-error={
    :log error  "FAILED to download Intrus dynamicBlacklist"
    /system script run "play-alert-sound"
  }

  :if ($fileSize > 500) do={
    /system script run import-intrus-block-list  
  }
} on-error { 
 :log error "FAILED to update Intrus dynamicBlacklist";
}

The import script does the import, and can be run at boot time (if you have saved the list somewhere) before the network even comes up:

##### Update your path, is you are using a USB Flash or other storage
##### Examples:
##### "disk1/dynamic.rsc"  or  "usb/dynamic.rsc"  or  "dynamic.rsc"

:global intrusPath 

:log warning "Starting import of Intrus dynamicBlocklist"

# intrusPath  set by code that does the fetch
# set fallback in case it is unset
:if ("x$intrusPath " = "x") do={
  :set intrusPath  "disk1/dl/dynamic.rsc"
  :log warning "Importing dynamicBlacklist from fallback location: $intrusPath"
}

:if ([/file find name=$intrusPath ] = "") do= {
  :error "FAILED: Importing dynamicBlacklist: file not found: $intrusPath "
}

##### Disable the log (We don't need 20k lines of adds and removes in the log)
:log warning "Disabling info logging while loading dynamicBlacklist...";
:log info "Disabling info logging while loading dynamicBlacklist...";
/system logging disable 0

##### Find the "dynamicBlacklist" entries and remove them
:local status "failed"
:local fileSize [/file get [ find where name=$intrusPath] value-name=size];
:if ($fileSize > 500) do={
  :log warning "Removing expiring address-list entries...";
  /ip firewall address-list remove [find list="dynamicBlacklist"]

  ##### Import the downloaded blacklist
  :log warning "Importing downloaded dynamicBlacklist from $intrusPath ";

  do { 
    /import $intrusPath
    :set status "success"
  } on-error { 
    :log warning "FAILED to import $intrusPath "
  }

####### Find and remove the downloaded file
###:log warning "Removing dynamicBlacklist temp file...";
###/file remove [find name=$intrusPath ]

} else= { :log warning "Intrus blacklist file $intrusPath too small ($fileSize), aborting" }

##### Turn the logging back on
/system logging enable 0
:log warning "info logging enabled"
:log info "info logging enabled";

:if ($status = "success") do={ 
  :log warning "Intrus dynamicBlacklist Update Complete.";
} else={
  :error "FAILED to update Intrus dynamicBlacklist"
}

The script also calls a "play-alert-sound" script for a big problem. You can make an empty one or use this one stolen from Dave:

:log warning "Playing alert sound"
 :for i from=1 to=3 step=1 do={
 :beep frequency=550 length=494ms;
   :delay 494ms;
   :beep frequency=400 length=494ms;
   :delay 494ms;
 }