Community discussions

MikroTik App
  4. RouterOS
  5. Scripting

Malware and Bogon scripts

Post Reply
 
kmullen
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 57
Joined: Thu Dec 30, 2004 9:48 pm

Malware and Bogon scripts

Mon Dec 19, 2005 6:13 am

I know these have already been created and updated but I can't find them.

I need scripts to add Malware and Bogon IP filters on my routers and can't find them.
Top
 
cmit
Forum Guru
Forum Guru
Posts: 1547
Joined: Fri May 28, 2004 12:49 pm
Location: Germany

Mon Dec 19, 2005 10:14 am

Regarding the bogons part of the question:

I once had written a small PERL script to create a RouterOS script file. This created a firewall chain "bogons" which containes rules to drop packets from bogons.
I attach the script here. It was written for Windows (on Linux adjust the she-bang line to the PERL interpreter). It's getting a current bogons list from http://www.completewhois.com and is outputting several files. Each is a complete one, the only difference is the amount of networks listed in the chain. There's one result file including only /20 and bigger networks, one for /19 and bigger and so on. Down to one including all listed bogons, which creates about 7.400 rules today.

Take one (!) of the created scripts (depending on how large your filtering chain should get), put it on your router (FTP/SCP) and execute it as script there. This will erase any existing chain with the name "bogons", recreate this as an empty chain and fill the rules in...

:!: Please beware that this is still creating 2.8 RouterOS syntax, if I find time I'll update it and put it into the WiKi. :!:
Code: Select all
#!c:/perl/bin/perl.exe

#################################################
##                                             ##
## PERL script to create RouterOS commands for ##
## bogon filtering.                            ##
##                                             ##
## (c) 2005 Christian Meis, info <at> cmit.de  ##
## Version: 1.0                                ##
##                                             ##
#################################################

use LWP::Simple;

$ros_cmd_recreate_chain = ":foreach i in [/ip firewall rule bogons find] do={/ip firewall rule bogons remove \$i}\n/ip firewall remove [/ip firewall find name=bogons]\n/ip firewall add name=bogons comment=\"automatically created BOGON filter chain\"\n/ip firewall rule bogons\n";
$ros_cmd_jump_back = "add action=return\n";

# Get BOGON list from www.completewhois.com and save it locally...
$BOGON = get 'http://www.completewhois.com/bogons/data/bogons-cidr-all.txt';
open(BOGON,">bogons.dat");
print BOGON $BOGON;
close(BOGON);

if (-s "bogons.dat") {
	# success getting the BOGON list - let's go on...
	open(BOGON,"bogons.dat");
	open(SCRIPT_ALL,">bogons-routeros-chain_all.rsc");
	open(SCRIPT_16,">bogons-routeros-chain_16up.rsc");
	open(SCRIPT_17,">bogons-routeros-chain_17up.rsc");
	open(SCRIPT_18,">bogons-routeros-chain_18up.rsc");
	open(SCRIPT_19,">bogons-routeros-chain_19up.rsc");
	open(SCRIPT_20,">bogons-routeros-chain_20up.rsc");
	# initial RouterOS commands to delete the "bogons" chain (if existent) and re-create it (empty)
	print SCRIPT_ALL $ros_cmd_recreate_chain;
	print SCRIPT_16 $ros_cmd_recreate_chain;
	print SCRIPT_17 $ros_cmd_recreate_chain;
	print SCRIPT_18 $ros_cmd_recreate_chain;
	print SCRIPT_19 $ros_cmd_recreate_chain;
	print SCRIPT_20 $ros_cmd_recreate_chain;
	while ($netaddress = <BOGON>) {
        chomp($netaddress);
		if ($netaddress =~ /^[0-9]+.*\/([0-9]+)$/) { # row with netaddress - otherwise this was a comment or empty line
	      print SCRIPT_ALL "add src-address=$netaddress out-interface=all action=drop comment=\"\" disabled=no\n";
	      print SCRIPT_16 "add src-address=$netaddress out-interface=all action=drop comment=\"\" disabled=no\n" if ($1 <= 16);
	      print SCRIPT_17 "add src-address=$netaddress out-interface=all action=drop comment=\"\" disabled=no\n" if ($1 <= 17);
	      print SCRIPT_18 "add src-address=$netaddress out-interface=all action=drop comment=\"\" disabled=no\n" if ($1 <= 18);
	      print SCRIPT_19 "add src-address=$netaddress out-interface=all action=drop comment=\"\" disabled=no\n" if ($1 <= 19);
	      print SCRIPT_20 "add src-address=$netaddress out-interface=all action=drop comment=\"\" disabled=no\n" if ($1 <= 20);
	     }
	}
	# final RouterOS command to jump back from the bogons chain
	print SCRIPT_ALL $ros_cmd_jump_back;
	print SCRIPT_16 $ros_cmd_jump_back;
	print SCRIPT_17 $ros_cmd_jump_back;
	print SCRIPT_18 $ros_cmd_jump_back;
	print SCRIPT_19 $ros_cmd_jump_back;
	print SCRIPT_20 $ros_cmd_jump_back;
	
	close(SCRIPT_ALL);
	close(SCRIPT_16);
	close(SCRIPT_17);
	close(SCRIPT_18);
	close(SCRIPT_19);
	close(SCRIPT_20);
	close(BOGON);
	unlink "bogons.dat";
}
If someone needs it, this is also available as a stand-alone Windows executable file (for those not having PERL installed).

Best regards,
Christian Meis
Top
 
cmit
Forum Guru
Forum Guru
Posts: 1547
Joined: Fri May 28, 2004 12:49 pm
Location: Germany

Mon Dec 19, 2005 12:32 pm

Oh yeah, and for those you don't know the word "bogon": This is used to decribe unused address space on the internet. So traffic with source (or destination) addresses from those address ranges cannot be legitimate traffic and get's filtered out by (sadly not all, but many) ISPs.

See also Wikipedia

Best regards,
Christian Meis
Top
 
changeip
Forum Guru
Forum Guru
Posts: 3830
Joined: Fri May 28, 2004 5:22 pm

Mon Dec 19, 2005 8:14 pm

Here is my script that takes a BGP bogon feed and turns it into an address-list:
Code: Select all
## Builds an address list with bogons based on the
## learned bgp routes which have the specific routing-mark.

:log info "Removing all BOGONS, starting sync."
:foreach subnet in [/ip firewall address-list find list=bogons] do {
   /ip firewall address-list remove $subnet
}

:foreach subnet in [/ip route find routing-mark=bogons] do {
   :set bogon [/ip route get $subnet dst-address]
   :log info ("Found " . $bogon . " as bogon entry.")
   /ip firewall address-list add list=bogons address=$bogon
}
Here is my current chain if you just want to copy and paste it:

Code: Select all
/ ip firewall address-list 
add list=bogons address=1.0.0.0/8 comment="" disabled=no 
add list=bogons address=2.0.0.0/8 comment="" disabled=no 
add list=bogons address=5.0.0.0/8 comment="" disabled=no 
add list=bogons address=7.0.0.0/8 comment="" disabled=no 
add list=bogons address=10.0.0.0/8 comment="" disabled=no 
add list=bogons address=23.0.0.0/8 comment="" disabled=no 
add list=bogons address=27.0.0.0/8 comment="" disabled=no 
add list=bogons address=31.0.0.0/8 comment="" disabled=no 
add list=bogons address=36.0.0.0/8 comment="" disabled=no 
add list=bogons address=37.0.0.0/8 comment="" disabled=no 
add list=bogons address=39.0.0.0/8 comment="" disabled=no 
add list=bogons address=42.0.0.0/8 comment="" disabled=no 
add list=bogons address=49.0.0.0/8 comment="" disabled=no 
add list=bogons address=50.0.0.0/8 comment="" disabled=no 
add list=bogons address=77.0.0.0/8 comment="" disabled=no 
add list=bogons address=78.0.0.0/8 comment="" disabled=no 
add list=bogons address=79.0.0.0/8 comment="" disabled=no 
add list=bogons address=92.0.0.0/8 comment="" disabled=no 
add list=bogons address=93.0.0.0/8 comment="" disabled=no 
add list=bogons address=94.0.0.0/8 comment="" disabled=no 
add list=bogons address=95.0.0.0/8 comment="" disabled=no 
add list=bogons address=96.0.0.0/8 comment="" disabled=no 
add list=bogons address=97.0.0.0/8 comment="" disabled=no 
add list=bogons address=98.0.0.0/8 comment="" disabled=no 
add list=bogons address=99.0.0.0/8 comment="" disabled=no 
add list=bogons address=100.0.0.0/8 comment="" disabled=no 
add list=bogons address=101.0.0.0/8 comment="" disabled=no 
add list=bogons address=102.0.0.0/8 comment="" disabled=no 
add list=bogons address=103.0.0.0/8 comment="" disabled=no 
add list=bogons address=104.0.0.0/8 comment="" disabled=no 
add list=bogons address=105.0.0.0/8 comment="" disabled=no 
add list=bogons address=106.0.0.0/8 comment="" disabled=no 
add list=bogons address=107.0.0.0/8 comment="" disabled=no 
add list=bogons address=108.0.0.0/8 comment="" disabled=no
add list=bogons address=109.0.0.0/8 comment="" disabled=no 
add list=bogons address=110.0.0.0/8 comment="" disabled=no 
add list=bogons address=111.0.0.0/8 comment="" disabled=no 
add list=bogons address=112.0.0.0/8 comment="" disabled=no 
add list=bogons address=113.0.0.0/8 comment="" disabled=no 
add list=bogons address=114.0.0.0/8 comment="" disabled=no 
add list=bogons address=115.0.0.0/8 comment="" disabled=no 
add list=bogons address=116.0.0.0/8 comment="" disabled=no 
add list=bogons address=117.0.0.0/8 comment="" disabled=no 
add list=bogons address=118.0.0.0/8 comment="" disabled=no 
add list=bogons address=119.0.0.0/8 comment="" disabled=no 
add list=bogons address=120.0.0.0/8 comment="" disabled=no 
add list=bogons address=121.0.0.0/8 comment="" disabled=no 
add list=bogons address=122.0.0.0/8 comment="" disabled=no 
add list=bogons address=123.0.0.0/8 comment="" disabled=no 
add list=bogons address=169.254.0.0/16 comment="" disabled=no 
add list=bogons address=172.16.0.0/12 comment="" disabled=no 
add list=bogons address=173.0.0.0/8 comment="" disabled=no 
add list=bogons address=174.0.0.0/8 comment="" disabled=no 
add list=bogons address=175.0.0.0/8 comment="" disabled=no 
add list=bogons address=176.0.0.0/8 comment="" disabled=no 
add list=bogons address=177.0.0.0/8 comment="" disabled=no 
add list=bogons address=178.0.0.0/8 comment="" disabled=no 
add list=bogons address=179.0.0.0/8 comment="" disabled=no 
add list=bogons address=180.0.0.0/8 comment="" disabled=no 
add list=bogons address=181.0.0.0/8 comment="" disabled=no 
add list=bogons address=182.0.0.0/8 comment="" disabled=no 
add list=bogons address=183.0.0.0/8 comment="" disabled=no 
add list=bogons address=184.0.0.0/8 comment="" disabled=no 
add list=bogons address=185.0.0.0/8 comment="" disabled=no 
add list=bogons address=186.0.0.0/8 comment="" disabled=no 
add list=bogons address=187.0.0.0/8 comment="" disabled=no 
add list=bogons address=192.0.2.0/24 comment="" disabled=no 
add list=bogons address=192.168.0.0/16 comment="" disabled=no 
add list=bogons address=197.0.0.0/8 comment="" disabled=no 
add list=bogons address=198.18.0.0/15 comment="" disabled=no 
add list=bogons address=223.0.0.0/8 comment="" disabled=no
Cymru provides a BGP feed to us that we then filter with a routing-mark, and then based on that list we generate the address-list... runs nightly to keep them up to date automatically.

Sam
Top
 
User avatar
lastguru
Member
Member
Posts: 432
Joined: Fri May 28, 2004 9:04 pm
Location: Certified Trainer/Consultant in Riga, Latvia
Contact:
Contact lastguru

Tue Dec 20, 2005 1:28 pm

is this info added to the wiki? ;)
Top
 
changeip
Forum Guru
Forum Guru
Posts: 3830
Joined: Fri May 28, 2004 5:22 pm

Tue Dec 20, 2005 6:39 pm

Just did my first one:

http://wiki.mikrotik.com/wiki/Generate_ ... ting-marks

Sam
Top
 
User avatar
lastguru
Member
Member
Posts: 432
Joined: Fri May 28, 2004 9:04 pm
Location: Certified Trainer/Consultant in Riga, Latvia
Contact:
Contact lastguru

Wed Dec 21, 2005 1:31 pm

thanks, that's great! one side note: we are usually not sigining the pages as it is all written in the history page.
Top
Post Reply

Who is online

Users browsing this forum: No registered users and 29 guests
  4. RouterOS
  5. Scripting