Subcategories

• Cache/Proxy

  Discussions about packages which handle caching and proxy functions such as squid, lightsquid, squidGuard, etc.

  3524
  Topics
  19258
  Posts

  P

  @planetinse

  removed package - then install package - did the trick

• IDS/IPS

  Discussions about packages whose functions are Intrusion Detection and Intrusion Prevention such as snort, suricata, etc.

  2048
  Topics
  13842
  Posts

  J

  Had a few in-between other activities and came up with this. RE: bonus on ideas - "..things that make you go Hmmmmm....." lol

  Including if useful to anyone else - this appears to solve the riddle..... Not "pretty" but addresses the need with a few options that can be applied to satisfy some conditions. Could probably be augmented to enable specification of "interface" to further simplify.

  Spoiler

  #!/usr/local/bin/perl # use strict; use Getopt::Long; $| = 1; # GetOptions('debug'=>\$PROC::DEBUG,'include=s'=>\$PROC::INCLUDE,'severity=s'=>\$PROC::SEVERITY,'targetfile=s'=>\$PROC::TGTFILE,'mergefile=s'=>\$PROC::MRGFILE,); if (defined($PROC::DEBUG)) { $PROC::DEBUG=1; } else { $PROC::DEBUG=0; } %PROC::INCS=(); if (defined($PROC::INCLUDE)) { foreach(split(/,/,$PROC::INCLUDE)) { $PROC::INCS{$_}=0; } } # @PROC::DIRS=('/usr/local/share/suricata/rules','/usr/local/etc/snort/rules',); %PROC::HASH=(); # foreach(@PROC::DIRS) { my $RDIR=$_; opendir(DIR, "$RDIR"); rewinddir(DIR); while(my $FILE=readdir(DIR)) { if ($FILE=~/\.rules$/) { my $CHECK=$FILE; $CHECK=~s/\.rules$//; if ((keys(%PROC::INCS)>0) && (exists($PROC::INCS{$CHECK}))) { &procFile("$RDIR/$FILE"); } elsif (keys(%PROC::INCS)==0) { &procFile("$RDIR/$FILE"); } } } closedir(DIR); } # if (defined($PROC::MRGFILE)) { open(INF, "<$PROC::MRGFILE"); while(my $LINE=<INF>) { chomp($LINE); if (($LINE!~/^#/) && ($LINE!~/^[[:space:]]{0,}$/) && ($LINE=~/^suppress[[:space:]]{1,}/)) { my $GID=$LINE; $GID=~s/^.*gen_id[[:space:]]{1,}//; $GID=~s/,.*//; my $SID=$LINE; $SID=~s/^.*.sig_id[[:space:]]{1,}//; if ($SID=~/,/) { $SID=~s/,.*//; } if (exists($PROC::HASH{$GID}{$SID})) { delete($PROC::HASH{$GID}{$SID}); } } } close(INF); } my $FH; if (defined($PROC::TGTFILE)) { open $FH, ">", "$PROC::TGTFILE" || die("ERROR: $PROC::TGTFILE $!\n"); select($FH); } elsif (defined($PROC::MRGFILE)) { open $FH, ">>", "$PROC::MRGFILE" || die("ERROR: $PROC::MRGFILE $!\n"); select($FH); print $FH ("\n"); } foreach my $ID (keys %PROC::HASH) { foreach my $SID (sort {$a<=>$b} keys %{$PROC::HASH{$ID}}) { my $MSG=$PROC::HASH{$ID}{$SID}{msg}; my $FILE=$PROC::HASH{$ID}{$SID}{file}; print ("# ($FILE) $MSG\nsuppress gen_id $ID, sig_id $SID\n\n"); } } if (defined($PROC::TGTFILE) || defined($PROC::MRGFILE)) { close $FH; } # if (defined($PROC::MRGFILE)) { my $F = do { local $/ = undef; open my $FH, "<", "$PROC::MRGFILE"; <$FH>; }; $F=~s/\n//g; $F=~s/#/\n\n#/g; $F=~s/suppress[[:space:]]{1,}/\nsuppress /g; $F=~s/^\n{1,}//; open(OUF, ">$PROC::MRGFILE"); print OUF ("$F\n"); close(OUF); } # sub procFile { my ($FILE)=(shift); if ($PROC::DEBUG==1) { print ("\tFILE : $FILE\n"); } open(INF, "<$FILE"); while(my $LINE=<INF>) { chomp($LINE); if ($LINE=~/^alert ip [/) { my $SID=$LINE; $SID=~s/^.*.sid://; $SID=~s/;.*//; my $MSG=$LINE; $MSG=~s/^.*.msg://; $MSG=~s/;.*//; $MSG=~s/"//g; my $SEV=$LINE; $SEV=~s/^.*.signature_severity //; $SEV=~s/,.*//; my $F=$FILE; $F=~s/\.rules$//; $F=~s/^.*.\///; if ($PROC::DEBUG==1) { print ("\t\t1 : $SID : $F : $SEV\n"); } if (defined($PROC::SEVERITY) && ($SEV eq $PROC::SEVERITY)) { $PROC::HASH{1}{$SID}{msg}=$MSG; $PROC::HASH{1}{$SID}{file}=$F; } elsif (!defined($PROC::SEVERITY)) { $PROC::HASH{1}{$SID}{msg}=$MSG; $PROC::HASH{1}{$SID}{file}=$F; } } } close(INF); return; } # __END__ ## ## Documentation ## =head1 NAME generate-suppress.pl =head1 SYNOPSIS generate-suppress.pl --debug --include=<include> --severity=<severity> --targetfile=<targetfile> --mergefile=<mergefile> =head1 DESCRIPTION Generates suppression data from source rules for "alert ip" style entries =head1 FUNCTION Insert or merge alert ip suppression data for SNORT/Suricata =head1 OPTIONS =over =item <debug> Enables debugging output. =item <include> Specifies which rule(s) to include in the resultant data. Comma separated - B<NO> spaces. =item <severity> Filter resultant rules to only those that match severity. (As of creation, appears to be either "Major" or "Minor") =item <targetfile> If the target file exists, it B<WILL> be overwritten with the results. =item <mergefile> If the mergefile already exists, it will be read and only [missing] deltas will be added. =item NOTE If neither targetfile nor mergefile are specified, the results are printed to STDOUT. =back =head1 COMMON USAGE perl generate-suppress.pl --mergefile=/usr/local/etc/suricata/suricata_<ID>_<interface>/threshold.config =cut

• Traffic Monitoring

  Discussions about packages that handle bandwidth and network traffic monitoring functions such as bandwidtd, ntopng, etc.

  525
  Topics
  2491
  Posts

  M

  I have been reading [RFC5101], [RFC5102] and [RFC5103], and decided to play with IPFIX in pfSense.
  I'm using softflowd package and it is working with bidirectional flows disabled.

  However, when I enable bidirectional flows, I get the following error in my Netflow server (graylog):

  java.lang.IllegalArgumentException: Multiple entries with same key: octetDeltaCount=2936 and octetDeltaCount=5016

  I've included the element ID 239, biflowDirection, data_type": "unsigned8" as referenced in RFC5103.

  Any glues for what I may be missing here ?

  Thanks

  Edit: I think the problem relies with Graylog, opened a topic there: https://community.graylog.org/t/ipfix-input-multiple-entries-with-same-key/30047

• pfBlockerNG

  Discussions about the pfBlockerNG package

  2275
  Topics
  17217
  Posts

  M

  @jrey Yes, we can only wait and see. Thx for your input.

• ACME

  Discussions about the ACME / Let’s Encrypt package for pfSense

  407
  Topics
  2311
  Posts

  B

  Hi,

  this is what I get for a cert renew:

  [Fri Sep 22 19:44:10 CEST 2023] _postContentType [Fri Sep 22 19:44:10 CEST 2023] Http already initialized. [Fri Sep 22 19:44:10 CEST 2023] _CURL='curl --silent --dump-header /tmp/acme/mydomain.org/http.header -L -g ' [Fri Sep 22 19:44:10 CEST 2023] _ret='0' [Fri Sep 22 19:44:10 CEST 2023] h='mydomain.org' [Fri Sep 22 19:44:10 CEST 2023] h='org' [Fri Sep 22 19:44:10 CEST 2023] h [Fri Sep 22 19:44:10 CEST 2023] invalid domain [Fri Sep 22 19:44:10 CEST 2023] Error add txt for domain:_acme-challenge.mydomain.org [Fri Sep 22 19:44:10 CEST 2023] _on_issue_err [Fri Sep 22 19:44:10 CEST 2023] Please check log file for more details: /tmp/acme/mydomain.org/acme_issuecert.log

  Trying to wait a while by DNS-Sleep = 180 but doesn't changed the behavior.
  Configured Method is DNS-INWX.de .

  It's failing on two different installations booth working before.
  Some weeks ago I was updating to ACME pkg v0.7.5 but doesn't checked cert renewing immediately after.

  Any hints for me here...?

  Best!

• FRR

  Discussions about the FRR Dynamic Routing package on pfSense

  243
  Topics
  974
  Posts

  H

  I found this How-to setup my exact setup at one of my new sites but the guy was using a Cisco 4948. Is there anyone here familiar enough with Cisco to convert this to work on pfSense? I want to use pfSense because it is what I have and I am familiar with working on. I just have not done very much dynamic routing nor used FRR much at all. I will greatly appreciate someone with the knowledge to convert this setup. The router that the ISP put in is causing all sorts of issue plus a bottleneck of about 20% bandwidth because it is only 1gbe on the WAN and the modem is 2.5gbe. I have some issues with a SaaS and the vendor is saying its this router, I tested it out over the DHCP connection via pfSense and they are right it is the router causing the issue. But I need the static IPs to work for VPN connections that are all across the country at my other sites, I would have to go-to every location to change them, that would be a big mess over a POS $100 router.

  Here is his post:

  How to bring your own equipment and have static IPs
  While it may be going away. Classifying ISPs under Title II is a great thing, and requires that an ISP (Comcast) let you use your own equipment.  This is federal law, and even if Title II was repelead. Saying it is technically mandatory for you to use comcast's equipment just to get you to rent it, I'm pretty sure that could violate parts of the uniform commercial code, but let's just say the tech's don't know any better.
   
  Let's clarify some things.

  Comcast owns no propietary internet technology everything from your modem / router to their hub runs on well known standards usually described in RFC's
   
  2.Every piece of comcast equipment you will see is mass produced linksys / netgear devices. Comcast uses a well known standard called DOCSIS 3.0 to get you internet over coax, tftp to load your modems config and SNMP to manage it. While they have some smart people. They didn't make any changes to the standards and while some of them may have been a part of the design, I doubt it. Comcast built it's one custom web interface for your device specificially designed to prevent a consumer from getting full access to their information. Aside from popping up xfinity hotspots these modem/routers scan your internal network and are vulnerable. The CG300DCR for instance. You cannot fully turn off or change the 10.1.10.1 ip addresses. You can't isolate them. it also has an way more open ip address if 192.168.100.1/24. It will respond to DNS requests from almost any local ip set. It will grant that 10.1.10.1 access to the internet, and so on. At no time are all the Static IPs loaded into a comcast modem router. That doesn't even make sense.
   
  Here is how comcast does their static ip address configuration.
   
  There is a virtual port (or perhaps it's the coax port) that gets a dynamic public ip address. This is not part of your static range.
  The modem/router then gets the default gateway IP address assigned to another virtual port. Which those ports on the back can talk to. 
   
  What needs to be loaded is the dynamic routing config. (because apparently one spoke site couldn't possibly work with a static routing. That'd be to easy).
   
  Comcast uses RIPv2 with an authentication key to do route updates. The comcast techs can log into your modem and see what this authentication key is, among other things and make other changes.
   
  I rent a business class internet with 13 static IPs and I finally found an employee who would provide the info. I am running a CPE TP link modem in bridge mode and my Cisco 4948 is doing the RIPv2 routing, and it works, and a device I can fully control is now the gateway, which for people who use their own firewalls or perhaps like to not do nat on an internal network between public and private ips,and while I acknowledge that some of the comcast routers can do some of this, they don't do it well, their techs aren't informed and it just creates more headaches for the it department.
   
  Anyway here's the excerpted config from my cisco 4948 switch, but any device that supports RIPV2 will be able to handle this.
   
  So get a CPE modem and put it into bridge mode (I used a TPLINK 7620)
   
  plug it into a port on the cisco switch (I used Gi1/1)
   
  Configure rip globally. (notes in bold
   
  ////

  router rip brings you into the rip config
  version 2 specifies version
  no validate-update-source This may not be necessary. In fact comcast doesn't send any rip routes your way
  passive-interface default This turns off RIP messages going out all the interfaces on your switch,
  no passive-interface GigabitEthernet1/1 This tells it to use port Gi1/1 to send RIP routing info
  network 0.0.0.0 so this is lazy, it identifies any network you want to advertise and advertise on, but because the wan ip is dynamic there was really no other way
  distribute-list 28 out GigabitEthernet1/1 This refers to an access list and uses it to prevent you from sending internal routes out to comcast
  no auto-summary This is probably unecessary but a hold over from training or a place I worked
  //////
   
   
  ////////  So  this access list basically blocks any private ip address from being advertised to comcast. (and I hope they have some safequards on their end. If you have other wan links in your network I would add them to deny statements if possible
  access-list 28 deny 10.0.0.0 0.255.255.255
  access-list 28 deny 172.16.0.0 0.15.255.255
  access-list 28 deny 192.168.0.0 0.0.255.255
  access-list 28 permit any
  ////////
   
  /////// this is the authentication key for the rip messages, I've blocked it out. It's done in the global config
  key chain comcast
  key 1
  key-string 7 ##########################
  ////////
   
   
  ////////// Interface to comcasat router
  interface GigabitEthernet1/1
  description /Link -> Comcast Router/
  no switchport
  ip address dhcp tell's it to grab an ip address via dhcp. Also on cisco make sure you don't have a gateway of last resort. this will add one to your config with a space than 254 at the end. If you have another one pointing at the same interface it will screw with your performance on some models
  ip rip authentication mode md5
  ip rip authentication key-chain comcast
  ip summary-address rip xx.xx.xx.xx 255.255.255.240 this should be your static ip address, makes it really easy for rip to advertise
  no cdp enable 
  spanning-tree bpdufilter enable
  //////////////
   
   
  ///////////////So to each his own, but I use Vlans and this just happens to be where my static ip vlan is.
  interface Vlanxxx
  description /Static Gateway/
  ip address xxx.xxx.xxx.xxx 255.255.255.240
  ////////////
   
  and we're done

  ///////////END of his post.

  So if anyone knows howto convert this it would help me out a lot!
  Thanks

• Tailscale

  Discussions about the Tailscale package

  42
  Topics
  179
  Posts

  J

  @dopeytree In the latest dev build (23.09.a.20230920.1314), I see this version

  132d667b-61d2-47b4-8998-3d6b4181f34c-image.png

• WireGuard

  Discussions about WireGuard

  484
  Topics
  2774
  Posts

  M

  SNORT!!!