Anything? Stuck on the same problem…

I'll try to use squid3, maybe it works

I found that just %Hs work and puts in the status code.  I really appreciate your help.  It seems that everything is working now.

Thank you for your input. I will test with v3 and see.
If it has antivirus, maybe I can skip having HAVP installed…

@spudy12:

Ah okay so it's nothing to worry about?
I just assumed as it was sending an alert it was something that was not good (to much of that with my NAS lately)

Also my Alert list is being spammed with

(http_inspect) UNKNOWN METHOD

Is there anyway to limit the number of these logged or turn it off altogether?

Cheers!

The cron e-mail is a never-mind.  Just spam.  I will see if I can get rid of in an upcoming update.

As for the http_inspect alert, those are very common.  So common, in fact, that I wonder why the rule authors even keep them in their packages.  But since they do, my advice is either disable the rule or suppress it.  A suppressed rule still "fires", but Snort eats the alert.  A disabled rule never wastes CPU time being used to inspect against traffic, since disabled rules are not loaded.  Which to use is your call as admin.  I have chosen to disable the rule.  You can do that either on the RULES tab by selecting Preprocessor Rules in the drop-down, or (easier method) find the alert on the ALERTS tab display and click the red X icon to add the rule to the forced disabled list.

Bill

ESF: Please kill your AAAA records until this is fixed.

The promised bug fix update for Suricata has been posted.  I started a new thread with those Release Notes.  The update to package version 2.0.2 from 2.0.1 addresses the bugs identified in this thread.  All are fixed except one, which is not actually a bug.  The Suricata Dashboard Widget will remember which column it was in when the package is uninstalled and reinstalled, but it will always position itself at the bottom of that column.  This happens because when Suricata is removed, the Dashboard Widget must also be removed or errors will result from missing files.  A package upgrade on pfSense actually performs an uninstall and then reinstall.  So the Dashboard Widget is removed during the uninstall step and then reinstalled when the package is.  However, it is not possible for the widget to position itself back exactly where it was before.  It will go to the bottom of the column where it was previously located.

Bill

Adjusted my hosts file and success!
Thank you!

I know this is an old thread but I though this would be a good topic to bring back from the dead since it is the first result in Google.  Could we use something similar to what is suggested at http://www.zeroshell.org/forum/viewtopic.php?t=1916.  This is the pertinent part:

Step 0 - Disable your HAVP proxy using the GUI, in the case it is currently enabled.
Step 1 - (Ignore)
Step 2 - The following command have to be both executed in the Zeroshell's shell AND added to your pre-boot scripts (through the Zeroshell's GUI):
    > mount -omand,noatime,uid=havp,gid=havp,size=50m -ttmpfs none /Database/var/register/system/havp/tmp
Step 3 - Re-enable your HAVP proxy using the GUI.

I had been trying and failing to set up squid and squidguard when my LAN was set up to use 172.31.1.0/24.

I reset to factory defaults and left all at 192.168.1.0/24 and the installation went fine.

ilvipero,

Sorry for the delay in replying.  The package doesn't cache the domain.  It caches the IP address of the sending server.

The postscreen cache (where previously seen IPs are stored)  is held in /var/db/postfix/postscreen_cache.db

A reboot should not affect that - I've even backed it up and restored it to a fresh install.

You can see what IPs are in there with

Are you running an embedded install of pfSense?

@highlandpeak:

Bill,

Thanks for the hard work.

BAM

If your configuration is still muddled up and giving you problems, send me a PM and I will work with you offline to get it fixed.  Essentially what was happening to you is the Snort PHP code was getting confused by the duplicate UUIDs for different interfaces and wound up trying to "start" the wrong one (one that is already started).  That's why one of your interfaces was giving a SOFT RESTART notice.  Its UUID matched one of your earlier configured interfaces (most likely the one it was cloned from).  Snort uses that UUID to differentiate interface instances.

Bill

@Grandmaster:

No problem at all Bill. Thanks for all the work.

Normally I'd not use spaces for exactly this sort of reason but for some reason my thumbs took over on this one and typed a space - The thumbs have been duly admonished, put back in their box and I am now using a sensor name without a space and typing with only eight fingers. But as it got me scratching my head I thought I'd report it as a bug in case another person also has rogue thumbs or it crops up in some other manner.

Cheers

James

I just tested and Barnyard2 itself won't honor any spaces in the config file (even when the string containing them is quoted).  So I added validation logic to the SAVE code that checks for spaces in the Sensor Name and throws a validation error if any are found.  I was able to sneak this fix into the current Suricata update that is under review by the pfSense developer team.  I will also add it to the next Snort update.

Again, thank you for the report.

Bill

what about flashing it with this firmware?

http://joeyiodice.com/converting-tp-link-tl-wr1043nd-to-dd-wrt/

Onde add as expressoes regulares

Good to hear it worked.

For future reference this site was very helpful.

In SquidGuard, create a new ACL for just the one IP address.  Then sequence it right at the top of your rules.