I want a script to run it in a new terminal.
I have a firewall address list called 30-seconds-list (an ip last 30 seconds in this list). I want a script to add an IP to 24-hour-list if he appears 20 times in the 30-seconds-list)
Re: add to a new list if appear in another list 20 times
A script should do the trick:
It could probably be optimized a bit, but it should work for your needs. Let me know how it works 
Code: Select all
:local srclist "30_sec_list"
:local countthreshold 7
# Internal processing ....
:local iparr ""
:local addr
:local count
/ip firewall address-list {
:foreach l in=[find list=($srclist)] do={
:set addr [get $l address]
# unique IP
:if ([:len [:find [:toarray $iparr] $addr]] = 0) do={
# count IPs in list
:set count [:len [find list=($srclist) address=$addr]]
:put ($addr . " count: " . $count)
:if ($count >= $countthreshold) do={
:put ($addr . " exceeds threshold. Do something here")
}
# append to array so this IP isn't counted again
:set iparr ([:tostr $iparr] . [:tostr $addr] . ",")
}
# foreach l
}
# /ip firewall address-list
}
Re: add to a new list if appear in another list 20 times
This is a script tseems to need run on schedule but it is not run just once,
I tried this
there is problem with nth. I remove it and in the this firewall filter rule at --->-extra-----> Nth,
I fill every with 50 and packet with 50 but I don't know if that done the trick.
Note: the manual says:
I tried this
Code: Select all
/ip firewall filter
add action=add-src-to-address-list address-list=24-hour-list address-list-timeout="1d 00:00:00" chain=bad-host-detection comment="If seen 20 time in 30 seconds add to the one day block list" disabled=no nth=50 src-address-list=30-seond-list
oI fill every with 50 and packet with 50 but I don't know if that done the trick.
Note: the manual says:
but In winbox I can only see "Every" and packet and I don't see the counternth ( integer | integer : 0 ..15 | integer ) - match a particular Nth packet received by the rule. One of
16 available counters can be used to count packets
• Every - match every Every+1th packet. For example, if Every=1 then the rule matches every
2nd packet
• Counter - specifies which counter to use. A counter increments each time the rule containing
nth match matches
• Packet - match on the given packet number. The value by obvious reasons must be between 0
and Every. If this option is used for a given counter, then there must be at least Every+1 rules
with this option, covering all values between 0 and Every inclusively.
Re: add to a new list if appear in another list 20 times
I found the code on wiki but it has the same problem:
http://wiki.mikrotik.com/wiki/Bad-host-detection
I will get "value of packet out of range (1..4294967295)" for nth=20,0
http://wiki.mikrotik.com/wiki/Bad-host-detection
I will get "value of packet out of range (1..4294967295)" for nth=20,0
Re: add to a new list if appear in another list 20 times
Ahh, I understand, so you want IPs from a dynamic 30sec list to be added a 24hour dynamic list.
I haven't use nth much, but I've seen a request for the ability to add a dynamic list entry to address list (I believe it's on the feature requests wiki page).
Otherwise, using firewall (as you mentioned) is about the only way.
I haven't use nth much, but I've seen a request for the ability to add a dynamic list entry to address list (I believe it's on the feature requests wiki page).
Otherwise, using firewall (as you mentioned) is about the only way.
Re: add to a new list if appear in another list 20 times
how to correct the code on the wiki to work with v4.15?Ahh, I understand, so you want IPs from a dynamic 30sec list to be added a 24hour dynamic list.
I haven't use nth much, but I've seen a request for the ability to add a dynamic list entry to address list (I believe it's on the feature requests wiki page).
Otherwise, using firewall (as you mentioned) is about the only way.
Re: add to a new list if appear in another list 20 times
thank you. I did this with nth=100,1 but I notice that many IPs appear in the 24-hr-list list in short time so I don't think that this is working. I have to stop rules that drop the internet from 24-hr list.
Note: my rule is firewall filter not mangle.