Email notification about the Blacklist

RouterOS Scripting
1

Hello!
I would like to create a script that sends an email if an IP address is added to the black list on the local network.
The Black Lists are available, the addresses are dynamically added to them from the firewall rules.
I have created a local address list
the comparison is already working. Now somehow I can’t write the ip variable in the email. Can you help me what am I doing wrong?

:local list1 [ip firewall address-list print where list=“internal”];
:local list2 [ip firewall address-list print where list=“brute_forcers_blacklist”];
:local ips1 ;
:local ips2 ;
:local emailAddress "> mail@gmail.com> "
:local EmailText;
:local systemName [system identity get name];
:local dateBlock [system clock get date] ;
:local timeBlock [system clock get time] ;
:local CreateTime;
:local SendError 0;
:local blackIP;


:foreach i in=$list1 do={
:set ips1 ($ips1 . $i->“address” . “,”);
}

:foreach i in=$list2 do={
:set ips2 ($ips2 . $i->“address” . “,”);

}

:if ( [:find $ips1 $ips2] = -1 ) do={
:put “Nincs azonos IP cím.”;
} else={
:put “Van azonos IP cím.”;
:log info “IP”
:foreach ip in={$ips1;ips2} do={
:set blackIP [ip firewall address-list find where .id address=$ip list=“internal”];
:set EmailText ($EmailText.“IP [$blackIP] Has been added to the BlackList\r\n”);
:put “Van azonos IP cím.”;
:log info IP2;
:log info $ip;
}
}
:if ([:len $EmailText] > 0) do={
:do {
tool e-mail send to=“$emailAddress” subject=“$systemName Security Notice” body=“$systemName Security Notice\r\nRuning Time: $dateBlock - $timeBlock\r\n\r\n$EmailText”
} on-error={
log error “$systemName Security Notice : Failed to send email.”;
}
}

2

“internal” mean ur local networks?

print ‘as-value’:

:local list1 [/ip firewall address-list print as-value where list="internal"];

Also, what’d u compare here?

:if ([:find $ips1 $ips2] = -1) do={
 :put "Nincs azonos IP cím.";
}
3

print is for print on terminal, you must use find, some rare exceptions exist, but this is not the case.

Start script:

how many ip on blacklist?
same as previous check?
do nothing.

how many ip on blacklist?
more than previous check?
send one mail with all added IP on the list afte the last know number.

Done.

Consideration:

The IP on blacklist are static?
On bootup set the correct number of IP on blacklist or the script send all IPs by mail.

The IPs are dynamic and not keeped?
Ignore the variable initialization

The IPs are dynamic but are autodeleted?
Too much complex, must be create alternative addresslist where put all address already advised by mail.
Do not do that.

4

Hello! The BlackList is dynamically created, in which the addresses are entered by firewall rules. (ddos, portscan, etc.)
And there is a Fixed address list that contains local network addresses.
the goal would be to send an email if for some reason an address that is included in the local address list is blacklisted.
I made another script. My problem is that I’m not very professional in programming. until then, I compare the 2 address lists, but I can’t read which is the IP address.

:log info “Email Notification Starting”;
:local AlertIPs;
:local InternalIPs;
:local blackIPs;
:local emailAddress "> mail@mail.com> "
:local EmailText;
:local systemName [system identity get name];
:local dateBlock [system clock get date] ;
:local timeBlock [system clock get time] ;
:local BlackList [ip firewall address-list find where .id list=“brute_forcers_blacklist”];
:local PortScan [ip firewall address-list find where .id list=“port scanners”];
:local Internal [ip firewall address-list find where .id list=“internal”];
:log info “Local Loading”;

:foreach InternalID in=$Internal do={
:set InternalIPs ($InternalIPs.[ip firewall address-list get $InternalID address].“;”)
}
:log info “Internal IPs $InternalIPs”;

:foreach PortScanID in=$PortScan do={
:set AlertIPs ($AlertIPs.[ip firewall address-list get $PortScanID address].“;”)
}
:log info “PortScanIPs $AlertIPs”;

:foreach BListID in=$BlackList do={
:set blackIPs ($blackIPs.[ip firewall address-list get $BListID address].“;”)

}
:if ( [:find $InternalIPs $blackIPs] = -1 ) do={
:put “Nincs azonos IP cím.”;
} else={
:put “Van ip”;
}

:if ([:len $EmailText] > 0) do={
:do {
tool e-mail send to=“$emailAddress” subject=“$systemName Security Notice” body=“$systemName Security Notice\r\nRuning Time: $dateBlock - $timeBlock\r\n\r\n$EmailText”
} on-error={
log error “$systemName Security Notice : Failed to send email.”;
}
}
:log info “Notification Finish”

5

Like email me when some of my customer(localnet) trying to DDOS my server?

6

Yes! Unfortunately, such a case can happen if one of the employees inhales a virus or is just trying to be smart on the network.
In this case, for example, the machine has been banned from the network due to brute force or port scan.

7

If some IP inside "internal" address-list is also present on "brute_forcers_blacklist" address-list, send one unique email with all correspondencies:
{
/system
:local systemName [identity get name]
:local dateBlock [clock get date]
:local timeBlock [clock get time]
:local emlAdd "mail@gmail.com"
:local EmailText ""

/ip firewall address-list
:foreach i in=[find where list="internal"] do={
    :local search [find where ((list="brute_forcers_blacklist") and ((address in [get $i address]) or (address=[get $i address])))]
    :if ([:len $search] > 0) do={
        :local arrip ({})
        :foreach j in=$search do={
            :set arrip ($arrip,[get $j address])

for also remove, at the same time, the address from the list brute_forcers_blacklist, uncomment next line:

remove $j

        }
        :set EmailText ($EmailText."IP $[:tostr $arrip] has been found on the BlackList\r\n")
    }
}
:if ($EmailText != "") do={
    :do {
        /tool e-mail send to=$emlAdd subject="$systemName Security Notice" \
        body="$systemName Security Notice\r\nRuning Time: $dateBlock - $timeBlock\r\n\r\n$EmailText"
    } on-error={
        :log error "$systemName Security Notice: Failed to send email."
    }
}

}

8

Thanks for the help.
Unfortunately, the IP address is not returned in the text of the email
This comes in an email:

Security Notice
Runing Time: jan/31/2023 - 13:47:11

IP [get *6423B6 address] Has been added to the BlackList

9

fixed the previous script.

10

fixed the previous script.

11

Thank you very much for your help, I would like to request one more minor modification if possible.
if it says 192.168.86.0/24 in the address list
then you will not find 192.168.86.120 in the blacklist. Would this still be complicated to solve?

12

fixed the previous script.

13

Not if I add the local address list to a domain, then if an IP address is entered within the given domain, it will be notified. Like the search engine of winbox when I search for the address and constants I attach a picture of what I mean.
Képernyőkép 2023-01-31 143631.png

14

I know I’m getting to be a lot. But again, thank you very much for your help. One last and really the last.
You are now emailing this
IP 192.168.69.0/24 Has been added to the BlackList
But I need this
IP 192.168.69.160 Has been added to the BlackList

15

fixed the previous script.

16

Internal address: 192.168.69.0/24

/system script> run brute_force_notification
invalid internal item number
:frowning:
unfortunately it doesn’t run with this error :frowning:

Foreach Invaild item Number problem
17

fixed the previous script, check again

18

Hello! Thank you for helping. Unfortunately, I tested the code, but it still sends an email when there is no matching IP.

19

Ah… right, I fix the script immediately…

20

Thank you very much for your help! :slight_smile: