On Jun 6, 2024, at 4:30 PM, jon <jon.murphy@ipfire.org> wrote:Wow! Some lists don’t need an update too often.```[root@ipfire ~] # while IFS='=' read -r theList theEpoch ; do printf "%-40s" "${theList}=${theEpoch}" ; printf "%(%F)T\n" "${theEpoch}" ; done < /var/ipfire/ipblocklist/modified | sort -k2,2 -k1,1BOGON=1424305106 2015-02-18ALIENVAULT=1636726250 2021-11-12FEODO_IP=1663973704 2022-09-23TOR_EXIT=1663971223 2022-09-23FEODO_RECOMMENDED=1663973404 2022-09-23BLOCKLIST_DE=1667772005 2022-11-06DOH_SERVERS=1690684412 2023-07-29TOR_ALL=1710361882 2024-03-13EMERGING_FWRULE=1717561802 2024-06-04SHODAN=1717634749 2024-06-05EMERGING_COMPROMISED=1717621199 2024-06-05CIARMY=1717707841 2024-06-06DSHIELD=1717706701 2024-06-06BOGON_FULL=1717707302 2024-06-06SPAMHAUS_DROP=1717696303 2024-06-06SPAMHAUS_EDROP=1717705720 2024-06-06FEODO_AGGRESSIVE=1717708203 2024-06-06[root@ipfire ~] #```On Jun 6, 2024, at 9:55 AM, Adolf Belka <adolf.belka@ipfire.org> wrote:Hi All,
On 05/06/2024 18:47, jon wrote:Comments below...
JonOn Jun 5, 2024, at 4:55 AM, Adolf Belka <adolf.belka@ipfire.org <mailto:adolf.belka@ipfire.org>> wrote:Michael - To me Line 89 `<INFO> Skipping $blocklist blocklist - Too frequent update attempts!` has little to no value since it is time based (i.e., it is not time to update).
Hi All,
On 05/06/2024 11:28, Michael Tremer wrote:Hello Jon,
Why should this not be logged?
See: https://github.com/ipfire/ipfire-2.x/blob/master/src/scripts/update-ipblocklists#L89 <https://github.com/ipfire/ipfire-2.x/blob/master/src/scripts/update-ipblocklists#L89>
And to me the Line 103 `<INFO> Skipping $blocklist blocklist - It has not been modified!` has little value.
See: https://github.com/ipfire/ipfire-2.x/blob/master/src/scripts/update-ipblocklists#L103 <https://github.com/ipfire/ipfire-2.x/blob/master/src/scripts/update-ipblocklists#L103>
If it is to be used for troubleshooting maybe the date of last modification be added to the log message (e.g., $last_modified):
See: https://github.com/ipfire/ipfire-2.x/blob/master/config/cfgroot/ipblocklist-functions.pl#L167 <https://github.com/ipfire/ipfire-2.x/blob/master/config/cfgroot/ipblocklist-functions.pl#L167>
I will look at doing something like that.
Regards,
Adolf.Otherwise I would remove.
Just my 2c,Adolf - I did not change the `<INFO> Successfully updated ...` so a user should be able make a determination something stopped.-MichaelThe log message about not being modified was what a forum user was able to use to identify that the Alien Vault list had not been updated for at least 17 months.On 4 Jun 2024, at 21:22, Jon Murphy <jon.murphy@ipfire.org <mailto:jon.murphy@ipfire.org>> wrote:
- Remove two <INFO> log entries from message log.
Signed-off-by: Jon Murphy <jon.murphy@ipfire.org <mailto:jon.murphy@ipfire.org>>
---
src/scripts/update-ipblocklists | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/src/scripts/update-ipblocklists b/src/scripts/update-ipblocklists
index a17b47999..dddde8d27 100644
--- a/src/scripts/update-ipblocklists
+++ b/src/scripts/update-ipblocklists
@@ -86,7 +86,7 @@ foreach my $blocklist (@blocklists) {
# Check if enough time has passed since the last download of the list.
if ($time <= $holdoff_time) {
# To frequent updates, log to syslog.
- &_log_to_syslog("<INFO> Skipping $blocklist blocklist - Too frequent update attempts!");
+ # &_log_to_syslog("<INFO> Skipping $blocklist blocklist - Too frequent update attempts!");
# Skip this provider.
next;
@@ -100,7 +100,7 @@ foreach my $blocklist (@blocklists) {
# Handle different return codes.
if ($return eq "not_modified") {
# Log notice to syslog.
- &_log_to_syslog("<INFO> Skipping $blocklist blocklist - It has not been modified!");
+ # &_log_to_syslog("<INFO> Skipping $blocklist blocklist - It has not been modified!");
} elsif ($return eq "dl_error") {
# Log error to the syslog.
&_log_to_syslog("<ERROR> Could not update $blocklist blocklist - Download error\!");
That information could not be found from the Alien Vault site as there is no timestamp on the file being downloaded to be able to be processed.I would not want to lose this information otherwise when another provider silently closes their list because they have been taken over or decide to concentrate on funded lists it will prove very hard to figure out if the lists are still active, even more so as more lists get added.See my "troubleshooting" comment above.Regards,
Adolf.--
2.30.2
--
Sent from my laptop