search

jokob-sk / NetAlertX

🖧🔍 WIFI / LAN intruder detector. Scans for devices connected to your network and alerts you if new and unknown devices are found.
GNU General Public License v3.0
3.1k stars 187 forks source link

Subnets are not scanned #170

Closed thehijacker closed 1 year ago

thehijacker commented 1 year ago

Describe the issue

I have three subnets. Only in one it finds devices. Even if other two subnets are reachable.

Paste last few lines from pialert.log

[2023-02-04 19:15:23] Scan: Pholus for 600s (10.0min)
        Pholus scan on [interface] eth0 [mask] 192.168.28.0/24
[2023-02-04 19:16:02] Scan: Pholus SUCCESS
[2023-02-04 19:16:03] Scan: Pholus for 600s (10.0min)
        Pholus scan on [interface] eth0 [mask] 10.0.107.0/24
[2023-02-04 19:16:41] Scan: Pholus SUCCESS
[2023-02-04 19:16:42] Scan: Pholus for 600s (10.0min)
        Pholus scan on [interface] eth0 [mask] 10.0.208.0/24
[2023-02-04 19:17:20] Scan: Pholus SUCCESS
[2023-02-04 19:15:23] Scan Devices:
    arp-scan start
  Processing scan results
    Devices Detected.......: 41
        arp-scan detected..: 39
        Pi-hole detected...: +0
        New Devices........: 0
    Devices in this cycle..: 41
        Down Alerts........: 0
        New Down Alerts....: 0
        New Connections....: 0
        Disconnections.....: 0
        IP Changes.........: 0
  Updating DB Info
    Sessions Events (connect / discconnect)
    Creating new devices
    Updating Devices Info
b''
        Trying to resolve devices without name
          Pholus entries from prev scans: 6296
        Names Found (DiG/Pholus): 0 (0/0)
        Names Not Found         : 23

Paste your pialert.conf (remove personal info)

#-----------------AUTOGENERATED FILE-----------------#
#                                                    #
#         Generated:  2023-02-05_17-40-40            #
#                                                    #
#   Config file for the LAN intruder detection app:  #
#      https://github.com/jokob-sk/Pi.Alert          #
#                                                    #
#-----------------AUTOGENERATED FILE-----------------#

# General
#---------------------------
ENABLE_ARPSCAN=True
SCAN_SUBNETS=['192.168.28.0/24 --interface=eth0','10.0.107.0/24 --interface=eth0','10.0.208.0/24 --interface=eth0']
PRINT_LOG=False
TIMEZONE='Europe/Ljubljana'
PIALERT_WEB_PROTECTION=False
PIALERT_WEB_PASSWORD='8d969eef6ecad3c29a3a629280e686cf0c3f5d5a86aff3ca12020c923adc6c92'
INCLUDED_SECTIONS=['internet','new_devices','down_devices','events']
SCAN_CYCLE_MINUTES=5
DAYS_TO_KEEP_EVENTS=90
REPORT_DASHBOARD_URL='http://pi.alert/'
DIG_GET_IP_ARG='-4 myip.opendns.com @resolver1.opendns.com'
UI_LANG='English'

# Email
#---------------------------
REPORT_MAIL=False
SMTP_SERVER='smtp.gmail.com'
SMTP_PORT=587
REPORT_TO='user@gmail.com'
REPORT_FROM='Pi.Alert <user@gmail.com>'
SMTP_SKIP_LOGIN=False
SMTP_USER='user@gmail.com'
SMTP_PASS='password'
SMTP_SKIP_TLS=False
SMTP_FORCE_SSL=False

# Webhooks
#---------------------------
REPORT_WEBHOOK=False
WEBHOOK_URL='http://n8n.local:5555/webhook-test/aaaaaaaa-aaaa-aaaa-aaaaa-aaaaaaaaaaaa'
WEBHOOK_PAYLOAD='json'
WEBHOOK_REQUEST_METHOD='GET'

# Apprise
#---------------------------
REPORT_APPRISE=False
APPRISE_HOST='http://localhost:8000/notify'
APPRISE_URL='mailto://smtp-relay.sendinblue.com:587?from=user@gmail.com&name=apprise&user=user@gmail.com&pass=password&to=user@gmail.com'
APPRISE_PAYLOAD='html'

# NTFY
#---------------------------
REPORT_NTFY=False
NTFY_HOST='https://ntfy.sh'
NTFY_TOPIC='replace_my_secure_topicname_91h889f28'
NTFY_USER='user'
NTFY_PASSWORD='passw0rd'

# PUSHSAFER
#---------------------------
REPORT_PUSHSAFER=False
PUSHSAFER_TOKEN='ApiKey'

# MQTT
#---------------------------
REPORT_MQTT=False
MQTT_BROKER='192.168.1.2'
MQTT_PORT=1883
MQTT_USER='mqtt'
MQTT_PASSWORD='passw0rd'
MQTT_QOS=0
MQTT_DELAY_SEC=2

# DynDNS
#---------------------------
DDNS_ACTIVE=False
DDNS_DOMAIN='your_domain.freeddns.org'
DDNS_USER='dynu_user'
DDNS_PASSWORD='A0000000B0000000C0000000D0000000'
DDNS_UPDATE_URL='https://api.dynu.com/nic/update?'

# PiHole
#---------------------------
PIHOLE_ACTIVE=False
DHCP_ACTIVE=False

# Pholus
#---------------------------
PHOLUS_ACTIVE=False
PHOLUS_TIMEOUT=120
PHOLUS_FORCE=False
PHOLUS_RUN='once'
PHOLUS_RUN_TIMEOUT=600
PHOLUS_RUN_SCHD='0 4 * * *'
PHOLUS_DAYS_DATA=7

# Nmap
#---------------------------
NMAP_ACTIVE=False
NMAP_TIMEOUT=150
NMAP_RUN='none'
NMAP_RUN_SCHD='0 2 * * *'
NMAP_ARGS='-p -10000'

# API
#---------------------------
ENABLE_API=True
API_RUN='schedule'
API_RUN_SCHD='*/3 * * * *'
API_RUN_INTERVAL=10
API_CUSTOM_SQL='SELECT * FROM Devices WHERE dev_PresentLastScan = 0'

#-------------------IMPORTANT INFO-------------------#
#   This file is ingested by a python script, so if  #
#        modified it needs to use python syntax      #
#-------------------IMPORTANT INFO-------------------#

Paste your docker-compose.yml and .env (remove personal info)

docker-compose.yml 

  pialert:
    container_name: pialert
    image: "jokobsk/pi.alert:latest"
    network_mode: "host"
    restart: unless-stopped
    volumes:
      - /mnt/usb_1/Docker/PiAlert/config:/home/pi/pialert/config
      - /mnt/usb_1/Docker/PiAlert/db:/home/pi/pialert/db
      # (optional) useful for debugging if you have issues setting up the container
      - /mnt/usb_1/Docker/PiAlert/logs:/home/pi/pialert/front/log
    environment:
      - TZ=Europe/Ljubljana
      - HOST_USER_ID=1000
      - HOST_USER_GID=1000
      - PORT=20211

Screenshots

image

thehijacker commented 1 year ago

Its seems to be VLAN related.:

root@proxmox:~# arp-scan --ignoredups --retry=6 10.0.107.0/24 --interface=vmbr0
Interface: vmbr0, type: EN10MB, MAC: 1c:83:41:30:01:82, IPv4: 192.168.28.70
Starting arp-scan 1.9.7 with 256 hosts (https://github.com/royhills/arp-scan)

181 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.9.7: 256 hosts scanned in 11.143 seconds (22.97 hosts/sec). 0 responded

If I add --vlan 107

root@proxmox:~# arp-scan --ignoredups --retry=6 10.0.107.0/24 -vlan=107 --interface=vmbr0
Interface: vmbr0, type: EN10MB, MAC: 1c:83:41:30:01:82, IPv4: 192.168.28.70
Starting arp-scan 1.9.7 with 256 hosts (https://github.com/royhills/arp-scan)
10.0.107.1      e4:8d:8c:XX:XX:XX       Routerboard.com (802.1Q VLAN=107)
10.0.107.30     78:11:dc:XX:XX:XX       XIAOMI Electronics,CO.,LTD (802.1Q VLAN=107)
10.0.107.31     40:31:3c:XX:XX:XX       XIAOMI Electronics,CO.,LTD (802.1Q VLAN=107)

So how can I add this vlan parameters to pialert via web UI?

thehijacker commented 1 year ago

Edited it manually in pialert.conf. GUI looks like this now:

image

Still waiting for full scan to see if it will work.

thehijacker commented 1 year ago

Scan finished. Lots of "name not found" and they are now from all three subnets. But no problem. I will edit one by one and attach to router so I get a nice visual of my network.

image

Please check if my setup for vlan is correct and if can be officialy supported in GUI.

EDIT: It seems Pholus is not working now:

        Pholus scan on [interface] eth0 [mask] 10.0.107.0/24 --vlan=107
source MAC address:a2:89:95:77:ff:77source IPv4 Address:192.168.28.53source IPv6 address:fd96:db65:2925:47e1:a089:95ff:fe77:ff77
Sniffer filter is: not ether src a2:89:95:77:ff:77 and udp and port 5353
I will sniff for 60.0 seconds, unless interrupted by Ctrl-C
------------------------------------------------------------------------
Traceback (most recent call last):
  File "/home/pi/pialert/pholus/pholus3.py", line 1192, in <module>
    main()
  File "/home/pi/pialert/pholus/pholus3.py", line 1062, in main
    ipn = ipaddress.ip_network(values.rdns_scanning)
  File "/usr/lib/python3.9/ipaddress.py", line 83, in ip_network
    raise ValueError('%r does not appear to be an IPv4 or IPv6 network' %
ValueError: '10.0.107.0/24 --vlan=107' does not appear to be an IPv4 or IPv6 network

        Error - Pholus Scan - check logs
[2023-02-05 19:57:54] Scan: Pholus FAIL - check logs
[2023-02-05 19:57:54] Scan: Pholus for 120s (2.0min)

Thank you.

jokob-sk commented 1 year ago

Cheers for letting me know! Will add this probably to a future release.

renouji commented 1 year ago

I found if I reverse it like this 10.0.107.0/24 --interface=vmbr0 -vlan=107 then Pholus works like normal.

jokob-sk commented 1 year ago

Thanks @renouji! I've covered this scenario in the following documentation snippet which I link to from the in app settings page:

https://github.com/jokob-sk/Pi.Alert/blob/main/docs/SUBNETS.md

Let me know if you have any suggestions for improving it or if unclear after reading.

Closing for now.

Thanks, J