Yeah - I know.  Thats what I told my friend and theat what he told the customers and yet….

They keep whining for it.

It was on an amd64 box. But my friend did some tinkering with it and got it working.

Test button works but not seen any alerts from pfsense yet.

Thx, for the fix!  :)

Now, let´s wait for the pfSense Team. :-P

I posted a Pull Request today that adds some additional validation checks on IP addresses and subnets when creating the HOME_NET and PASS LIST values for Snort.  Hopefully this corrects the issue with only a single forward slash ( "/" ) getting into HOME_NET and/or PASS LISTS.

Here is a link to the Pull Request:  https://github.com/pfsense/pfsense-packages/pull/805

Bill

Some help please :)

pfBlocker has been removed, and replaced by pfBlockerNG for 2.2. It's in the package system if you want to install it

@Supermule:

Snort is not blocking/reporting to widget if WAN IP REP is enabled.

It is started and returning nothing

Any idea to why??

Do you have IP REP files downloaded and then assigned on the WAN interface?  The files should show up under the IP LISTS tab (on the top row of tabs).  Then on the WAN tabs (lower tab row) you assign particular files to the interface on the IP REP tab.  Once you make the assignments, Snort will need restarting on that interface.

I have the ET-Open rules "emerging-compromised-ips.txt" list assigned to my WAN, and I am getting blocks.  Just had a few in the last couple of hours.  The alert text will this:  (spp_reputation) packets blacklisted and the GID:SID is 136:1.

Bill

This update was merged this morning and should appear for pfSense 2.2 users only as mentioned in the release notice above.  Go to System > Packages > Installed Packages and the update should be showing as available.

NOTE:  this update and future Suricata updates will only be available for pfSense 2.2 and above due to changes in the Suricata source code that break compiling a package on pfSense 2.1.x.

Bill

@firefox:

i did not see this packages in the packages manger ?

clamd
c-icap

where this from ?

it is automaticly installed with squid3

Thanks!

A couple links on how its works and such… They are different but same concept

https://mitmproxy.org/doc/index.html
http://docs.diladele.com/faq/squid/index.html

@peridian:

Doh!  Figured it out.

@bmeeks:

In this case, the bad IP (the source IP in this alert) was blocked so no further communication can happen there.

You would think, however looking at the logs I realised that squid was operating on that interface in transparent mode.  snort was generating the block for the external IP, but squid was returning a cached copy of the content, which made it look to the client like the connection had still worked.

@bmeeks:

If so, you will need to define a custom PASS LIST, uncheck the option to include local networks, then manually assign the list to the VLAN interface (or the LAN interface) and restart Snort.

Excellent, thank you for that, it achieved exactly the result I was looking for.  I don't know how I ever got snort to produce blocks originally if I didn't know to do this, but it is now behaving as expected, and with squid still enabled on the interface.

Thank you for all your help, it's very much appreciated.

Regards,
Rob.

Glad you got it figured out.  Unless you are worried about your internal VLAN hosts being a source of and spreading some malware, I don't understand why you want their IP addresses blocked at the firewall as well.  Simply blocking the other end of the offending traffic stream is protection enough for the victim host.  I'm assuming you are running this in a home setup.  As an example, assume your PC browses to a web site and some rogue ad content on the site causes Snort to fire an alert and insert a block.  If you let it block both the bad web site AND your own PC's address, then you can find yourself locked out of the firewall (at least from your PC).  Isn't it sufficient that just the far-end rogue source or destination be blocked?

Bill

One more question.  How do I add CA certs that I manage to squid itself?

@marcelloc:

@Trel:

If I edit a backup xml file, and remove the appropriate settings, and then restore it, does anything I removed get wiped off of pfsense or would the package gui config persist still?

Will be removed. Keep in mid that full config restore forces a reboot and package reinstall.

Ok, this looks like the best option anyway.  I should be good then.

@j@svg:

Got it. So, basically wait for NG…. :(

There is a manual install steps on pfblockerng thread but I'll send pull request to remove pfblocker and enable pfblockerng on 2.2

The system logs indicate:

php: lcdproc: Failed to connect to LCDd process Operation timed out (60)

Any clues?