a3sal0n / falcongate Goto Github PK

Hi,
I think that columns "First seen" and "Last seen" are confusing because of "First seen" is apparently date of alert but "Last seen" is date of last seen of device not date of last seen event which was triggered alarm.

shall i put info through the config.ini or use the web gui ? i tried to block for example yahoo.com but did not seem to work

what way one can do this ?

The MAC address, IP address and network mask are missing in the FalconGate network configuration status section.

Hi, can this be installed on other devices apart from raspberry pi series?

@easy4MEr detected that the IP whitelisting feature of the admin console wasn't working. The IP addresses added to the text box were not excluded from blacklisting with ipset.

Hello everybody,

wanted to try it out on my pine64 with armbian, but no matter what, it seems that there is no possibility to login into the web interface.

i try to reach the ip adress via browser, also i tried letting on the dhcp of the router and turn it off, which unfortunately results with no ip address designation for the pine.

regards

Vin

This is something I should have done long ago but today easy4MEr reminded me how easy it could be done.

do you have a list of steps to get the GUI working when you SSH into the pi?

We decided to delete the static threat intel URLs from the default config.ini file.

The reason for this is that these sources contained too many false positives by default and this was causing that traffic to legitimate sites was blocked. The users of the platform can still add their own sources but we won't maintain this list anymore.

We recommend subscribing to our free Threat Intel API to receive automatic daily updates. This feed is collected centrally in our cloud servers where we also take care of removing false positives and other artifacts.

For details on this change see our latest commit 0db2782

We have realized that is quite a burden to maintain locally multiple sources to retrieve Intelligence data on malicious IP addresses and domains used by Malware and attackers. It's also hard to keep them updated consistently and at the same time clean of false positives, etc. This is why we have decided to stop supporting the local sources listed in our config.ini file and enable a public central API hosted in a dedicated Amazon VPC for this purpose.

FalconGate users will still be able to append additional custom sources (URLs) to config.ini but we won't be improving in the future the existing parsers for these sources.

Stay tuned... we will share soon the details on how to register for our new API.

i wanted to clarify something

does falcongate block or just alert ?

does it block and may not show it is blocking something ? or does it alert and block ?

After restart:

Mar 19 12:34:27 falcongate intel.retrieve_bad_domains[132]: FG-ERROR: Error while retrieving the bad domains from: http://mirror1.malwaredomains.com/files/immortal_domains.txt
Mar 19 12:34:27 falcongate falcongate.main[132]: FG-DEBUG: Starting main loop
Mar 19 12:34:28 falcongate logparser.run[132]: FG-WARN: read_bro_notice_log - I/O operation failed. -
Mar 19 12:34:29 falcongate intel.retrieve_bad_domains[132]: FG-ERROR: Error while retrieving the bad domains from: http://winhelp2002.mvps.org/hosts.txt
Mar 19 12:34:30 falcongate intel.retrieve_bad_domains[132]: FG-ERROR: Error while retrieving the bad domains from: https://s3.amazonaws.com/lists.disconnect.me/simple_tracking.txt
Mar 19 12:34:31 falcongate intel.retrieve_bad_domains[132]: FG-ERROR: Error while retrieving the bad domains from: https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt
Mar 19 12:34:32 falcongate intel.retrieve_bad_domains[132]: FG-ERROR: Error while retrieving the bad domains from: https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts

curl works:

root@falcongate:~# curl -I https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
HTTP/1.1 200 OK
...

The services Dnsmasq and Nginx were not starting after rebooting the dev BPi device.

in syslog i see a list of dns requests, i think something is slipping through, i see no alert for what i suspect

I was looking for your parsed files which are referenced like /etc/dnsmasq.block for domain names

for IPs ? which file shall i look for ?

I want to double check an IP and or/domain, I suspect is malware but falcongate not picking it up ..

i guess i am curious if the malicious IP and domain name might be in these files somewhere...

when in the Graphic Interface X.X.X.2 of FG the logs "saved" can we delete old logs?

if we edit the config.ini how long before our changes are reflected?

thx for the help

There are some scenarios, like my current home network, that would benefit from FalconGate and could be dropped in for testing in other locations, if the DHCP server requirement was optional. I'm guessing there are some assumptions or features that might be missed out on, but it would be nice as something configurable.

It seems that our Threat Intel database of malicious IP addresses is continuously increasing as we add new sources so we went over the default size of the ipset blacklist (65536). We have decided to increase the size of this list to 500,000 entries in the installation script.

I am trying to tail -c +1 -f /opt/FalconGate/logs/alerts.sqlite, but seems not to be working, i suppose i want to push the output to a port instead of email.. any idea why this command fails ?

is there a quick way to upgrade ? or must I get a clean Rpi install and follow the script ?

Every 5 seconds in log:
Mar 19 12:35:54 falcongate logparser.run[132]: FG-WARN: read_bro_notice_log - I/O operation failed. -

File /usr/local/bro/logs/current/notice.log doesn't exists.

Hi, first issue during testing FalconGate was unable to connect to github.com because is in /etc/dnsmasq.blocked (multiple times).

Look into this and find a different way to tail Bro's log files if necessary.

Due to concerns raised by our followers regarding the security of the OS image we currently use for Banana Pi we have decided to take it offline. We will explore the possibility to utilize a different source image for this device.

Some templates were broken after the last big commit. The IP address tag wasn't replaced with the new IP assigned to the default interface after installation.

Also the new folder logs wasn't created in the repo because it was empty.

This was corrected so everything should be OK now.

is it ok to change the default IP in /etc/network/interfaces as we like ? will it affect operation if we change it ? I will take it to another friends house where his provider is different

iface eth0:1 inet static
address 192.168.X.2
netmask 255.255.255.0
gateway 192.168.X.1

Implement new feature to detect devices in the FalconGate network which have active default user accounts and passwords or weak credentials.

Send an awareness alert with recommendations to the user if such issue will be found.

I think is better using systemd to start and stop FalconGate:

root@falcongate:~# cat /etc/systemd/system/falcongate.service
[Unit]
Description=FalconGate Server
After=dnsmasq.service
After=nginx.service

[Service]
User=root
WorkingDirectory=/opt/FalconGate
ExecStart=/usr/bin/python falcongate.py
Restart=always

[Install]
WantedBy=multi-user.target

We decided to stop writing the pickle file homenet.pkl to disk because the write action was causing some performance issues once the homenet object in memory grew enough.

This change represents no impact in the current features and the alerts history is saved in the sqlite db under "logs/alerts.sqlite"

It seems that sometimes the installation of the Python dependencies fail because dnscrypt-proxy is not completely up and running and Python can't resolve the host name of the repositories.

is there some way to get back the lost password of the admin login ?

We are working to implement DNS over HTTPS to protect against DNS spoofing all the devices connected to the FalconGate network at once and block your ISP or other parties from spying on the plain DNS requests.

is this normal ? thx ( fresh install ) i see in log on web interface
raspberrypi intel.eval_vt_intel_domain: FG-DEBUG: Mapping key not found. - detected_downloaded_samples

this ransomware executed first and then once completed contacted the internet so FalconGate rightly reported but would not be able to stop anything as it stays so quiet till its done its damage first. i think it was a teslacrypt or something.. what sort of malware or phising can FlaconGate stop then ?

The installer for Raspbian was upgraded to support the latest system version available at raspberrypi.org.

Some changes were needed in the templates for the core configuration files of Bro and NginX so we recommend to do a fresh install from source if you want to upgrade your device. These changes are not backwards compatible with older versions of Raspbian (e.g. Jessie)

You can find the latest changes in our commit 929dc87

We have implemented a new alert reporting capability into FalconGate. It's possible now for us to send alert reports from our AWS cloud servers to the user's email address used for registration and/or a given Telegram chat group/channel pre-configured in the admin UI. Now users subscribed to our free cloud API are able to send alerts without the need to configure an ad-hoc Gmail account for this purpose.

The subscription to the free API is limited to 10 alerts per day for the cloud alerts.

For more details on the implementation see our latest commit to the master branch: 7b1920c

This feature detects active user account breaches based on a custom watch list of account user names used in online sites and services.

The feature it's using in the background the public API (https://haveibeenpwned.com/API/v2)

The branch pwnage contains the new code.

Hi all, just trying to install Falcongate. I tried both from image and from scratch. I keep getting errors on the DNSCRYPT part of the install. Is this something we can bypass in order to complete the install? Im not getting DHCP to work so I can login to the GUI and configure. Im assuming the DNSCrypt is culprit for not completing the install. Any help would be appreciated.

Thanks

Migrate the list of Intel sources to "html/user_config.ini and enable the users to manage it through the admin web interface.

pi@raspberrypi:/opt/FalconGate $ sudo ./install.py
Detecting default gateway...
eth0 192.168.1.1
Updating apt sources...
Hit http://archive.raspberrypi.org jessie InRelease
Hit http://mirrordirector.raspbian.org jessie InRelease
Hit http://archive.raspberrypi.org jessie/main armhf Packages
Hit http://mirrordirector.raspbian.org jessie/main armhf Packages
Hit http://archive.raspberrypi.org jessie/ui armhf Packages
Hit http://mirrordirector.raspbian.org jessie/contrib armhf Packages
Hit http://mirrordirector.raspbian.org jessie/non-free armhf Packages
Hit http://mirrordirector.raspbian.org jessie/rpi armhf Packages
Ign http://archive.raspberrypi.org jessie/main Translation-en_GB
Ign http://mirrordirector.raspbian.org jessie/contrib Translation-en_GB
Ign http://archive.raspberrypi.org jessie/main Translation-en
Ign http://mirrordirector.raspbian.org jessie/contrib Translation-en
Ign http://mirrordirector.raspbian.org jessie/main Translation-en_GB
Ign http://archive.raspberrypi.org jessie/ui Translation-en_GB
Ign http://mirrordirector.raspbian.org jessie/main Translation-en
Ign http://mirrordirector.raspbian.org jessie/non-free Translation-en_GB
Ign http://archive.raspberrypi.org jessie/ui Translation-en
Ign http://mirrordirector.raspbian.org jessie/non-free Translation-en
Ign http://mirrordirector.raspbian.org jessie/rpi Translation-en_GB
Ign http://mirrordirector.raspbian.org jessie/rpi Translation-en
E: Could not get lock /var/lib/dpkg/lock - open (11: Resource temporarily unavailable)
E: Unable to lock the administration directory (/var/lib/dpkg/), is another process using it?
Installing dependencies...
E: Could not get lock /var/lib/dpkg/lock - open (11: Resource temporarily unavailable)
E: Unable to lock the administration directory (/var/lib/dpkg/), is another process using it?
Installing Bro...
Cloning Bro repo...
Cloning into 'bro'...
remote: Counting objects: 87932, done.
remote: Compressing objects: 100% (26438/26438), done.
remote: Total 87932 (delta 63845), reused 80090 (delta 57314)
Receiving objects: 100% (87932/87932), 42.65 MiB | 471.00 KiB/s, done.
fatal: Out of memory, malloc failed (tried to allocate 85876875 bytes)
fatal: index-pack failed
Traceback (most recent call last):
File "./install.py", line 151, in
main()
File "./install.py", line 83, in main
os.chdir("bro")
OSError: [Errno 2] No such file or directory: 'bro'

New devices in LAN are not detected when their IPs is not assigned by FalconGate's dnsmasq server.