Search with Logic operator not working in V7

texmeshtexas · July 27, 2022, 1:04am

Hey gang,

I’m running a 2116-12G with V7.4

I have a script that runs hourly that looks through and counts up the number of domain blocks from my Raw rule filters.
This works perfect in V6

This is a piece of the script.
For some reason the part of this script matches everything instead of the logic ORed values.
:foreach b in=[/ip firewall raw find where (comment=“Manual_domain” || “TV_domain” || “BAM_C2_domain” || “BAM_Mal_domain” )] do={

if I replace it with this, it works properly but takes longer to run.
:foreach b in=[/ip firewall raw find where (comment~“domain”)] do={

The number entries with “domain” in the comment is between 1000 and 6500. Depending on which lists I load.

Anyone run into something like this in V7?

rextended · July 27, 2022, 1:23am

Can’t «works perfect in V6»
it’s just wrong how you write, on both routeros version…

On V6 this not work:

:put [/ip firewall raw find where (comment="IP option record-route" || "IP option timestamp")]

tis is not traduced like YOU expect comment=item1 or (comment=)item2 or (comment=)item3 etc.

this works (and parenthesis can be omitted, because = have precedence over OR)

:put [/ip firewall raw find where comment="IP option record-route" || comment="IP option timestamp"]

because this is really comment=item1 or comment=item2 or comment=item3

what is “compatible” is

:put [/ip firewall raw find where comment~"(IP option record-route|IP option timestamp|3rdopt|4thopt)"]

texmeshtexas · July 27, 2022, 3:20am

get the same exact result when I change to this

:foreach b in=[/ip firewall raw find where comment=“Manual_domain” || comment=“TV_domain” || comment=“BAM_C2_domain” || comment=“BAM_Phish_domain” || comment=“BAM_Mal_domain”] do={

matches everything on list in V7
matches properly in V6

rextended · July 27, 2022, 7:45am

What you say is different on what I get and YOU OMIT the rest of the script…
[rex@tended] /ip/firewall/raw> export

jul/27/2022 09:41:23 by RouterOS 7.4

software id = 3NGC-9LEV

model = 911G-5HPnD

serial number = /ip firewall raw

add action=drop chain=prerouting src-address=45.71.115.59
add action=drop chain=prerouting src-address=45.71.115.59
add action=drop chain=prerouting comment=Manual_domain src-address=45.71.115.59
add action=drop chain=prerouting comment=TV_domain src-address=45.71.115.59
add action=drop chain=prerouting comment=BAM_C2_domain src-address=45.71.115.59
add action=drop chain=prerouting comment=BAM_Phish_domain src-address=45.71.115.59
add action=drop chain=prerouting comment=t1 src-address=45.71.115.59
add action=drop chain=prerouting comment=t2 src-address=45.71.115.59
add action=drop chain=prerouting comment=t3 src-address=45.71.115.59
add action=drop chain=prerouting comment=t4 src-address=45.71.115.59
add action=drop chain=prerouting comment=t5 src-address=45.71.115.59
add action=drop chain=prerouting comment=t6 src-address=45.71.115.59
[rex@tended] /ip/firewall/raw> :put [/ip firewall raw find where comment=“Manual_domain” ||
comment=“TV_domain” || comment=“BAM_C2_domain” || comment=“BAM_Phish_domain” || comment=“BAM_Mal_domain”]
*3;*4;*5;*6
[rex@tended] /ip/firewall/raw> :foreac b in=[/ip firewall raw find where comment=“Manual_domain” ||
comment=“TV_domain” || comment=“BAM_C2_domain” || comment=“BAM_Phish_domain” || comment=“BAM_Mal_domain”] do={ :put $b }
*3
*4
*5
*6
[rex@tended] /ip/firewall/raw>
either you didn’t ask the question right, or you didn’t understand the answer…

«counts up the number of domain blocks from my Raw rule filters»
this do not count the domain blocks, but discarded packets, if you call it with another name…

«This is a piece of the script»
As usual, the user know exactly where is the error…

This works.

{
:local totalpackets 0
:foreac b in=[/ip firewall raw find where comment="Manual_domain" || \
    comment="TV_domain" || comment="BAM_C2_domain" || comment="BAM_Phish_domain" || comment="BAM_Mal_domain"] do={
 :set totalpackets ($totalpackets + [get $b packets])
 :put "$[get $b comment] $[get $b packets] (subt $totalpackets)"
}
:put "Total: $totalpackets"
}

Manual_domain 3 (subt 3)
TV_domain 6 (subt 9)
BAM_C2_domain 0 (subt 9)
BAM_Phish_domain 0 (subt 9)
Total: 9

texmeshtexas · July 27, 2022, 1:10pm

Here is more of the script. What I’m trying to accomplish is count the number of blocked packets.

#count number of blocked domains.
:log info “*************** Compiling blocked domains *****************”
:local b 0;
:local blkd 0;
:local dname 0:
:global Tblkd 0;
:global Blkdomain “”;

#The specific comment search is much faster. But does not work in V7
#:foreach b in=[/ip firewall raw find where (comment=“Manual_domain” || comment=“TV_domain” || comment=“BAM_C2_domain” || comment=“BAM_Mal_domain”) ] do={
:foreach b in=[/ip firewall raw find where (comment~“domain”)] do={
:set dname [/ip firewall raw get $b content];
:set blkd [/ip firewall raw get $b packets];
#:log info “Checking $dname, packets=$blkd”
:if ($blkd > 0) do={:set Blkdomain ($Blkdomain.$dname.“\n”)};
:set Tblkd ($Tblkd + $blkd);
}
:log info “**********Total Domain Blocks = $Tblkd ***********”;

example of rules on list
/ip firewall raw
:do {add action=drop chain=prerouting protocol=tcp dst-port=80,443 comment=“BAM_C2_domain” content=173.231.184.122} on-error={}
:do {add action=drop chain=prerouting protocol=tcp dst-port=80,443 comment=“BAM_C2_domain” content=187ddbf44e.com} on-error={}
:do {add action=drop chain=prerouting protocol=tcp dst-port=80,443 comment=“BAM_C2_domain” content=31b4bd31fg1x2.feedback} on-error={}
:do {add action=drop chain=prerouting protocol=tcp dst-port=80,443 comment=“BAM_C2_domain” content=4b7e9e2996.com} on-error={}
:do {add action=drop chain=prerouting protocol=tcp dst-port=80,443 comment=“TV_domain” content=0506vtvnpx1gofe7.info} on-error={}
:do {add action=drop chain=prerouting protocol=tcp dst-port=80,443 comment=“TV_domain” content=1918anotherpandemic.com} on-error={}
:do {add action=drop chain=prerouting protocol=tcp dst-port=80,443 comment=“TV_domain” content=9iwuhan.com} on-error={}
:do {add action=drop chain=prerouting protocol=tcp dst-port=80,443 comment=“TV_domain” content=aajkabharatsamachar.com} on-error={}
:do {add action=drop chain=prerouting protocol=tcp dst-port=80,443 comment=“BAM_Mal_domain” content=00110000.com} on-error={}
:do {add action=drop chain=prerouting protocol=tcp dst-port=80,443 comment=“BAM_Mal_domain” content=013698.com} on-error={}
:do {add action=drop chain=prerouting protocol=tcp dst-port=80,443 comment=“BAM_Mal_domain” content=023hgdlc.com} on-error={}
:do {add action=drop chain=prerouting protocol=tcp dst-port=80,443 comment=“BAM_Mal_domain” content=0431cc.net} on-error={}

texmeshtexas · July 27, 2022, 1:36pm

I think I just discovered the problem. the final :if do curly bracket should have been at the end of the last line as it is here.
why it behaved differently in the V6.49.6 box is very strange.

#The specific comment search is much faster. But does not work in V7
#:foreach b in=[/ip firewall raw find where (comment=“Manual_domain” || comment=“TV_domain” || comment=“BAM_C2_domain” || comment=“BAM_Mal_domain”) ] do={
:foreach b in=[/ip firewall raw find where (comment~“domain”)] do={
:set dname [/ip firewall raw get $b content];
:set blkd [/ip firewall raw get $b packets];
#:log info “Checking $dname, packets=$blkd”
:if ($blkd > 0) do={:set Blkdomain ($Blkdomain.$dname.“\n”);
:set Tblkd ($Tblkd + $blkd)};
}

rextended · July 27, 2022, 4:05pm

on front of
:local dname 0:
are present : not ;
why use ; ? do not use at all, until you need more commands on same line…

why define “b” ???

why
do={
}
???

Is useless…

also do…on-error is completely useless on adding rules on raw…

better on this way:

/ip firewall raw
remove [find where comment=BAM_C2_domain || comment=TV_domain || comment=BAM_Mal_domain]
add action=drop chain=prerouting comment=BAM_C2_domain content=173.231.184.122 dst-port=80,443 protocol=tcp
add action=drop chain=prerouting comment=BAM_C2_domain content=187ddbf44e.com dst-port=80,443 protocol=tcp
add action=drop chain=prerouting comment=BAM_C2_domain content=31b4bd31fg1x2.feedback dst-port=80,443 protocol=tcp
add action=drop chain=prerouting comment=BAM_C2_domain content=4b7e9e2996.com dst-port=80,443 protocol=tcp
add action=drop chain=prerouting comment=TV_domain content=0506vtvnpx1gofe7.info dst-port=80,443 protocol=tcp
add action=drop chain=prerouting comment=TV_domain content=1918anotherpandemic.com dst-port=80,443 protocol=tcp
add action=drop chain=prerouting comment=TV_domain content=9iwuhan.com dst-port=80,443 protocol=tcp
add action=drop chain=prerouting comment=TV_domain content=aajkabharatsamachar.com dst-port=80,443 protocol=tcp
add action=drop chain=prerouting comment=BAM_Mal_domain content=00110000.com dst-port=80,443 protocol=tcp
add action=drop chain=prerouting comment=BAM_Mal_domain content=013698.com dst-port=80,443 protocol=tcp
add action=drop chain=prerouting comment=BAM_Mal_domain content=023hgdlc.com dst-port=80,443 protocol=tcp
add action=drop chain=prerouting comment=BAM_Mal_domain content=0431cc.net dst-port=80,443 protocol=tcp

Refreshed version, without all useless frills.

:log info "*************** Compiling blocked domains *****************"

:global Tblkd     0
:global Blkdomain ""

:local blkd  0
:local dname ""

/ip firewall raw 
:foreach b in=[find where (comment="Manual_domain" || comment="TV_domain" || \
        comment="BAM_C2_domain" || comment="BAM_Mal_domain")] do={
    :set dname [get $b content]
    :set blkd  [get $b packets]
    :set Tblkd ($Tblkd + $blkd)
    :if ($blkd > 0) do={:set Blkdomain "$Blkdomain$dname\n"}
}

:log info "*************** Total Domain Blocks = $Tblkd **************"

texmeshtexas · July 27, 2022, 7:17pm

Ok. thanks for some clean up.

I use the :do {} on -error={} because I pull these list from our server, which firsts downloads from the source.
the server has code then reformats to an .rsc file
I pull down a .rsc file and import that.
Occasionally there have been errors in the data. Not so much with domains, but sometimes with IPs that cause a syntax error and the import script stops.
Using this approach only the erroneous line gets skipped and not everything below it.

:do {add action=drop chain=prerouting protocol=tcp dst-port=80,443 comment=“BAM_Mal_domain” content=023hgdlc.com} on-error={}

by the way, this works great on filtering sites that match the content=. I’ve experiment with putting the domain also in tls-content=. But does not seem to work any better and adds more work to the router.
I can load a few hundred domains without any noticeable degradation in performance on my CCR2116 unit.
But when it gets close to 1000, the slow down starts to get noticeable.
I can load the domain names as an address list entry and let the MT resolve to a IP but then I get more false detects due to cloud server sharing multiple domains to a single IP.
I have almost 20K domains I would like to block but not really possible on MT hardware.
Thoughts?

rextended · July 28, 2022, 11:53am

Ah, ok, I missed that part, is a “not checked” imported list

About all, are done with layer 7, and is very expensive on resources.
MikroTik actually do not produce any device specialized machine for content filter,
and with TLS 1.3 all this is gone and you can not do anything.