Jump to content

Create Firewall rules for ESET Smart Security from an IP list: Firewall Rules Generator


Recommended Posts

Inspired by a user who wanted to import a list of 222 IPs into the ESS firewall, I made this tool. I called it the "Firewall Rules Generator" for ESS.
 
post-3952-0-38158800-1424351949_thumb.png
 
It simply converts a list of IP addresses into a settings file for the ESS firewall, so you can import it via the settings.

Limitations

  • Currently it only supports IPv4 addresses. IPv6 support may be added later. [Done]
  • The firewall rule will be set to use the protocol TCP & UDP. You can only change this manually after the creation of the XML file.
  • You can't specify any ports to block.

Changelog


Changelog for ESET-Firewall Rules Generator by rugk
__________________________________________________________________
* changes/bug fixes
+ new features
- removed features
~ other information
 
v 1.2 2015-06-08
+ added /license parameter
* added line "Module" in comments written to the end of the XML file
* switched from CC-BY license to MIT license as this is much more appropriate for software
 
v 1.1 2015-03-29
+ added support for IPv6
* minor bug fixes
* renamed some variables and other small code changes
 
v 1.0 2015-02-19
~ first version released
 
v 0.1 2015-02-18
~ started development


How to use

  • Start the program. (or use drag & drop to drop a IP list file on it)
  • Select your IP list file, set the options and select specify the settings file, which should be created.
  • After the settings file is created you can import it into ESS:
    post-3952-0-37423900-1409850042_thumb.png

Alternatively you can also create the XML from the commando line. The process can be fully automated by using the parameters of the program.
To see all available parameters just start it with the parameter "/?". (like this: ESSFirewallRulesGenerator.exe /?)
 
About the tool
The tool is written in AutoIt and you can download the source code is on GitHub. It's licensed under a MIT license.
This way you can be sure that it is not malicious and only does what it says.
Additionally here you can find the virustotal scan. (A few AVs may detect it as a "backdoor", but happens is just because of the compressing algorithm I'm using. More information here.)
 
Download
Here are the download links for the tool:
 
Download file
SHA-1 hash: 4BDFDEADACE5BA77A1853D4B1CF650A7CDFED384
Alternative download link 1
Alternative download link 2
View source on GitHub
 
If you find problems or other things then any report is of course very much appreciated. You can do this on GitHub or in this thread of course.
 
If you're looking for an example of a created settings file you can use the one created from the C&C servers of Zeus Tracker (download here).

Edited by rugk
Link to comment
Share on other sites

Hi Rugk,

Tried your link to download the "EXE" tool and was prevented from downloading from two of the sites. Messages were as follows"

Site 1:

This page is identified as potentially unwanted.
hxxp://get.file16desktop.com/DownloadManager/Get?p=5654&d=8701&l=8181&n=1&productname=ESSFirewallRulesGenerator.exe&dynamicname=ESSFirewallRulesGenerator.exe&filename=ESSFirewallRulesGenerator.exe&d1=1660000&d2=1&d3=1&
This web page is on the list of websites with dubious reputation or websites with potentially unwanted content.
 

Site 2:

Access to the web page was blocked.
hxxp://www13.file-upload.net/download.php?id=10320237&name=19.02.15/566rpzrsvkp1.exe&origname=ESSFirewallRulesGenerator.exe&valid=78354917190
The web page is on the list of websites with potentially dangerous content.

Any hints as to how to get the tool?

 

Regards,

 

Bob

Edited by BobArch2
Link to comment
Share on other sites

I think this was the download from file-upload.com.

I have also just seen that ESET blocked this URLs. And after a short test I can also say why: file-upload.com has added a download manager... :ph34r:  (PUA)

 

However my primary download link was to mega.co.nz. This download should have worked and is still working now.

I will upload it somewhere else and change my links.

 

Edit: I have changed the links.

Edited by rugk
Link to comment
Share on other sites

Your new link, just spins-its-wheels when clicked on the Blue Download link. The message shows "contacting server" with the rotating wheel. No progress.

 

What now?

Link to comment
Share on other sites

I tested it right now and it's working...

Could you try the links to mega.co.nz?

 

Just click at the links at the left:

post-3952-0-30315200-1424721466.png

Edited by rugk
Link to comment
Share on other sites

I see you modified the link to go to mego.co.nz.  I now have both the EXE tool and the XML file.  Will take it from here and will let you know the outcome.

 

Thanks for your efforts.  Much appreciated!

 

Bob

Link to comment
Share on other sites

Okay, great.

 

However...

I see you modified the link to go to mego.co.nz.

Well no... the left links always linked to mega.co.nz, only the right (alternative links) linked to workupload.com (and previously file-upload.net).

 

BTW if you reply and want to say some things about the XML and some things about my tool I think it would be good to kepp the two different threads for it, so if you want to say something about the XML post it in the post with the XML and if you want to say (more than one line) about the tool then post it here.

As the topics are linked to each other users who want to find it are going to find it. :)

Edited by rugk
Link to comment
Share on other sites

BTW if you reply and want to say some things about the XML and some things about my tool I think it would be good to kepp the two different threads for it, so if you want to say something about the XML post it in the post with the XML and if you want to say (more than one line) about the tool then post it here.

As the topics are linked to each other users who want to find it are going to find it. :)

Hi rugk,

 

Finally got around to testing the tool for importing IP addresses. The first thing I did was to get a current list, 227 items.  I was not sure what format the input list needed so I created a TXT file of the addresses and removed the "*" headings. I did run the app under the CMD with the /? to get a record of all the options. You did a great job there!  then ran the tool using all the defaults and before I knew it, all 227 IPs were loaded with all the required data. So far so good.

 

I have the "log" option unchecked.  I am assuming that being set to "off" implies that I would not see any breaches in a log file. I guess I could always take one of the IPs and enter it into the browser to see what happens.

 

I will make it a point to periodically check the ZeuS site for updates.  If any, I will first delete the existing rule in Smart Security and then run the updated list through the tool and reimport.

 

Thanks again for your efforts... they are much appreciated.

 

Bob

post-5422-0-89025400-1425235612_thumb.jpg

Link to comment
Share on other sites

Great that it worked nicely for you. :)

As an input file all text files are working great. Just use .txt or .lst. (normally .lst only means list and the content is a text file anyway...)

 

And you could have leaved the headings there. All lines beginning with usual characters, which indicate comments, are ignored.

 

I am assuming that being set to "off" implies that I would not see any breaches in a log file.

Yes that's right. The log option is just the same option as you can see in the rules list later. By default it is disabled (in most predefined rules too). If it would be enabled then you could see the entries in "Tools → Logs → Personal Firewall".

 

I guess I could always take one of the IPs and enter it into the browser to see what happens.

Of course you can. However in your current configuration you won't get any notification (or log entry) if an application is connecting to these IPs.

 

If any, I will first delete the existing rule in Smart Security and then run the updated list through the tool and reimport.

Yes, that's the only possible way. Otherwise you would have two rules in ESS...

Edited by rugk
Link to comment
Share on other sites

Great that it worked nicely for you. :)

 

I guess I could always take one of the IPs and enter it into the browser to see what happens.

Of course you can. However in your current configuration you won't get any notification (or log entry) if an application is connecting to these IPs.

 

 

 

OK, I turn both "Log" and "notifications" on and am being advised when trying to go to one of the blacklisted IP addresses.

 

post-5422-0-45488400-1425268488_thumb.jpg

post-5422-0-73338100-1425268488_thumb.jpg

 

Looking good!!!

 

Thanks again...

 

Bob

Link to comment
Share on other sites

  • 4 weeks later...

Version 1.1 is out now. :)

Mainly I just added IPv6 support.

 

And I discovered that I wrote the changelog wrong in the first release. I was still in 2014 although I created it in 2015 of course.

But now the changelog is correct.

Link to comment
Share on other sites

Version 1.1 is out now. :)

Mainly I just added IPv6 support.

 

And I discovered that I wrote the changelog wrong in the first release. I was still in 2014 although I created it in 2015 of course.

But now the changelog is correct.

Hi RugK,

 

I have downloaded and run v1.1 with a new set of rules from the Zeus Tracker for IPv4 sites.  No IPv6 sites available yet. I have tested with a few of the IPv4 sites and everything went well.

 

Thanks for the update

 

Bob

Link to comment
Share on other sites

Yeah ZeusTracker actually doesn't have any IPv6 addresses, so this isn't needed there (actually).

But in my tests with fake IPv6 addresses it all worked correctly.

Link to comment
Share on other sites

  • 2 months later...

I've just released v 1.2. Basically the program has not changed much, but I've changed some other things around it.

At first I switched from a CC-BY license to the MIT license as this is more suitable for software than a CC license.

And secondly this tool and all it's source code is now on GitHub. :)

So if you want to contribute something there you can do it easily.

Link to comment
Share on other sites

  • 3 months later...
 
 

 

Inspired by a user who wanted to import a list of 222 IPs into the ESS firewall, I made this tool. I called it the "Firewall Rules Generator" for ESS.
 

hi

wow,seems great

but where do I get these ips ?

i mean does the program add 222 ips considered malware ,doesn'it ?

does it work like peerblock ?

 

would be really amazing add a list of ips (ads ->like adblock plus or adguard ad blocker ) !

thanks

Edited by mantra
Link to comment
Share on other sites

If you have a list of IPs (each IP on a new line in a txt file or something similar) you can use it.

 

If you have no list of IPs I only have a sample of the ones used by ZeusTracker. You can get it here.

 

 

 

i mean does the program add 222 ips considered malware ,doesn'it ?

This depens on what list you use, but the ZeusTracker list is a list of domains used by a malware.

 

does it work like peerblock ?

Based on a quick read about Peerblock I think so, yes.  However if you want to use a list from Peerblock (or better: from https://www.iblocklist.com/which is used by Peerblock)  you would have to adjust it first by removing the labels before each IP.

Link to comment
Share on other sites

 
 

If you have a list of IPs (each IP on a new line in a txt file or something similar) you can use it.

 

If you have no list of IPs I only have a sample of the ones used by ZeusTracker. You can get it here.

 

 

 

i mean does the program add 222 ips considered malware ,doesn'it ?

This depens on what list you use, but the ZeusTracker list is a list of domains used by a malware.

 

does it work like peerblock ?

Based on a quick read about Peerblock I think so, yes.  However if you want to use a list from Peerblock (or better: from https://www.iblocklist.com/which is used by Peerblock)  you would have to adjust it first by removing the labels before each IP.

thanks a lot

you know would be amazing importing ads ips to block ads , for example windows 10 or 8 have several ads , or program like skype

additing to many ips could slow down eset smart security ? or the firewall ?

 

by the way virus total flags it sadly as HEUR/QVM11.1.Malware.Gen and W32.HfsAtSTIL.6930  -> hash SHA256  d9be90d7d6ea015c9f438f0df35611bde8e221423170ec342346ea9f5e62b5ef

Edited by mantra
Link to comment
Share on other sites

AFAIK even a huge blocking rule should not slow down ESET's firewall.
 

by the way virus total flags it sadly as HEUR/QVM11.1.Malware.Gen and W32.HfsAtSTIL.6930  -> hash SHA256  d9be90d7d6ea015c9f438f0df35611bde8e221423170ec342346ea9f5e62b5ef


The hash is correct. These detections are false positives.
I have changed the first post to add a note about this (again).

Link to comment
Share on other sites

AFAIK even a huge blocking rule should not slow down ESET's firewall.

 

by the way virus total flags it sadly as HEUR/QVM11.1.Malware.Gen and W32.HfsAtSTIL.6930  -> hash SHA256  d9be90d7d6ea015c9f438f0df35611bde8e221423170ec342346ea9f5e62b5ef

The hash is correct. These detections are false positives.

I have changed the first post to add a note about this (again).

by the way thanks for the great tool!!!

Link to comment
Share on other sites

  • 5 months later...

Thanks for the work, it would be great if you could add support of IP ranges, like this:

64.4.23.0-64.4.23.255
111.221.64.0-111.221.127.255

Link to comment
Share on other sites

  • 1 month later...
Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...