It has to do with how the Netgate release of pfSense seems to be limiting the Zabbix2 packages to the 2.0.x branch.

Perhaps the init scripts are not versioned or something. Installing the zabbix2-proxy-2.0.8 pkg v0.7_1 package but pulling the init script that has been updated for zabbix2-proxy-2.2.1 pkg v0.8_0.

I know the Netgate release package repository lags behind a little, perhaps I can help get the zabbix2.2 updates fully tested so they can be released to the Netgate release.

Thanks… And now it's worked.

Really weird because I've installed and uninstalled many times, suddenly it appears. So I'm a happy camper, but odd that the GUI should report a successful installation when that doesn't seem to be the reality.

@A999:

Hi,

I'm setting up a fresh pfSense box for proxying http traffic at my office. I installed Squid3-dev and snort (updated VRT community rules and ETOpen rules). I disabled "block offenders" in snort but as time goes by, it's still blocking many normal websites like: AWS, reddit, and many more photos sharing hosts. Description for those blocked hosts are "UNKNOWN METHOD" or "DOUBLE DECODING ATTACK" or "NO CONTENT-LENGTH" OR "TRANSFER-ENCODING IN HTTP RESPONSE".

It would be great if somebody tell me what's wrong here and what I'd do to improvise. Thanks.

Edit: snort are enabled on WAN interface, and it's also blocking download packages from psfense.org for same reason.

Did you remember to stop/start the Snort process after you changed the blocking option from "on" to "off"?  If you uncheck "block offenders" and restart Snort, it won't block anything.  It will print alerts, but it won't block.

The alerts you listed are considered to be common, known false positives from the HTTP_INSPECT preprocessor.  There is a long thread containing suggestions from experienced Snort users for suppressing false positives.  Here is a link:  https://forum.pfsense.org/index.php/topic,56267.msg300473.html#msg300473

Bill

Have you just installed (downloaded and added it to the menu system) it from the package menu?
Then you have to go to the "Services" –> "Proxy Server" menu option and at least press the "save" button there at the bottom.
This will basically create the config file and start squid.

@jandohrmann:

alert tcp $EXTERNAL_NET any -> any 25 (msg:"SMTP AUTH LOGON brute force attempt"; content:"AUTH LOGIN"; nocase; classtype:suspicious-login; sid:1000001; rev:2;)

I didn't see the "content:"AUTH LOGIN" in the rule above. My bad. Thought you were blocking port 25 completely at first glance.

Then…  you've made my point.

But thanks for sharing what you have.

Rick

@ethos101:

Every time Snort updates its rules we need to manually start the service again.  The log says it's restarted, but it is not.  Where else can I look for trouble signs?

Thanks

Look in the system log for clues.  My first suspicion is a disabled preprocessor, and the new rule update suddenly has introduced a dependent rule.  Look for any messages about "unrecognized or unknown rule option" in the system log.

Did you disable any preprocessors on the PREPROCESSORS tab, or have you left everything at the defaults from the initial installation?

Bill

I got the same issue and selecting interface(s) in the "Listen on" list instead of "listen on all interfaces/ip addresses" solves it.

@MilesDeep:

I will do what you recommend with regards to rule sets.

One last thing on this topic,  you write:  As for your question on IPS Policy (Balanced, Security, Connectivity), that only shows up when you have enabled the download of the Snort VRT rules.

We have enabled to download the Snort VRT rules.  Where do I (globally, I hope) set the IPS Policy?

You can select an IPS Policy on the RULE CATEGORIES tab for the Interface in the Snort menu.  So click Services…Snort and then select the Snort interface you want to edit by clicking the small e icon next to the interface.  Next, in the bottom row of tabs that appears, click RULE CATEGORIES.  You should see a dropdown selection like the one pictured in the attachment to this post.

Bill

IPS-Policy-Selection.jpg
IPS-Policy-Selection.jpg_thumb

@Zosimo:

Current setup

pfSense 2.1-RELEASE (i386) FreeBSD 8.3-RELEASE-p11 snort 2.9.5.5 pkg v3.0.3 HAVP antivirus 0.91_1 pkg v1.01 squid Network 2.7.9 pkg v.4.3.3

Squid is configured as a transparent proxy, and HAVP as the parent for Squid (and set accordingly in the config). Snort is not configured to block sites when an alert is triggered, but is apparently doing so anyways.
The system log files show

Feb 12 13:22:12 havp[55759]: connect() failed: Operation not permitted Feb 12 13:22:01 havp[44820]: connect() failed: Operation not permitted Feb 12 13:22:00 havp[44820]: connect() failed: Operation not permitted Feb 12 13:21:59 havp[44820]: connect() failed: Operation not permitted Feb 12 13:21:08 havp[77462]: connect() failed: Operation not permitted Feb 12 13:21:06 havp[78132]: connect() failed: Operation not permitted Feb 12 13:21:05 havp[44591]: connect() failed: Operation not permitted Feb 12 13:19:37 havp[57273]: connect() failed: Operation not permitted Feb 12 13:17:21 havp[55759]: connect() failed: Operation not permitted

It would seem that I am having the same issue as the OP in this post: https://forum.pfsense.org/index.php/topic,18725.0.html.
Was this ever fixed?

Snort should not block anything if you have the "block offenders" checkbox unchecked on the Interface tab.  If you think Snort is the cause, simply stop the Snort process by clicking the green arrow icon on the Snort Interfaces tab and waiting for it to turn to a red X.  At that point Snort is dead and not blocking anymore.  Try your connection then.  If it still fails, then Snort is not your problem.

Another way to check if Snort is the cause is to click on Diagnostics…Tables and select the snort2c table in the dropdown list.  If no IP addresses show up, then Snort is not blocking.  All blocked IPs by Snort get put in the snort2c table that you can view under Diagnostics…Tables.  If an IP address is not in that table, then Snort is not blocking that IP.

Bill

Actually, this happens because the HAVP config expects to find the following files at /var/run/clamav:

clamd.sock

clamd.pid

The thing is, in pfSense those files are found in /var/run, which is why the package can't find them. Moreover, there seems to be no way to change the path in the config file (and I read somewhere this was hardcoded into the scanner). The current workaround for this is creating this directory and linking the files together.

mkdir /var/run/clamav ln -s /var/run/clamd.sock /var/run/clamav/clamd.sock && ln -s /var/run/clamd.pid /var/run/clamav/clamd.pid

The problem is that these files get lost on every reboot. I've tried modifying the service startup script to check for this automatically, but have had no luck so far.

Hope this helps

There is a recently launched NTP attack on a large number of servers, dunno how many are left working properly. Last I heard was a 400gbps ddos.

The reason removing pfblocker allowed it to work was that the attack was a coverup for an infiltration of some servers, who were subsequently identified as compromised and added to pfblocker's lists.

MNSHO