@marcelloc:

@bmeeks:

You can write Snort rules to block whomever you wish based on traffic content.  On the Rules tab, select "Custom Rules" in the drop-down and then create your own Snort text rules.  You must get the syntax correct before the save will be successful.

I think asbirim is trying to block offenders based on snort rules but block only specific ports instead of blocking all ip traffic changing pf rule created by snort.

On pfblocker I've added an option to only create alias but do not apply rules. This way sysadmin can create any rule based ou package created alias.

Oh…OK.  I wasn't initially understanding his intent.  I'm not sure this idea really fits into what Snort is about, though.  Sounds more like something for one of the other packages like pfBlocker perhaps.

Bill

@Mitterwald:

Just did an update to the current RC0 snapshot and deinstalled snort and installed it again.
The config still remained on my pfsense.

But now it seems to work again. WAN is up for over 30 Minutes now, already blocked several attackers.
So seems ok for me again.

P.S.: I didn't changed any VMWare settings up to now.

Some things changed in the latest snapshot of the RC0 release.  I have not investigated what changed, but I did notice my test 2.1RC0 box was prompting me about an update.

Bill

@marcelloc:

Try to fill https field options.

No luck with that.  Am I getting the FQDN and URI stuff correct?  The actual address that I am looking to start is something like:

https://starch.hopto.org/web/

If it makes any difference that is a dynamic dns I use to keep up with my home IP as it changes often.  Would there be any issue with that?

@iodaddio:

So if you have http/https going through squid3 proxy, I have transparent for both and mitm.  Then how does dansguardian check traffic?  It seems that once squid3 breaks into http/https it would need to send the hacked traffic to then be scanned by dansguardian…  not sure how that works.  sorry, proxy setups still mystify me.

It will not, only icap/redirector calls will work as it's a ssl connection.
Try squidguard or enable mitm on dansguardian(alpha code for mitm)

@iodaddio:

I ask because my assumption is that if I make 2 nat rules to send traffic to dansguardian. it would then be responsible for mitm, is that correct?  I think that would be setup like this:

No need to do nat rules while using squid3-dev(The package will do that for you).

@ESWBitto:

I'm having an issue where my snort sensors are using over 700 mb of memory each. If I only had one sensor that would not really matter, but I have 7! We've had to tweak the amount of rules and Emerging threats that are used and frankly I don't want to have to sacrifice not using all or most of the rule sets.

Is this the norm? Does anyone have any suggestions on tweaking the memory usage? In the gui the selected option for the lowest memory consumption for best performance is already selected (I think it was the default)

I believe I read somewhere that each sensor by default should only use 200 MB each.

Bitto

Snort with a lot of enabled rules and a lot of connections will eat memory.  There are settings that can be tweaked to improve this a bit, but nothing beats having at least 4 GB of RAM per sensor.  RAM is pretty cheap these days anyway.

Also, there is no point in trying to run all the rules (both ET and Snort VRT).  I'm sure there are partisans on both sides of the issue who will swear one set is better than the other (ET vs. VRT), but you might consider choosing Snort VRT with the IPS-Connectivity policy to start with.  That will catch most stuff and not give a lot of false positives.  As you gain experience with Snort and its behavior with your specific network traffic, you can bump up to the IPS-Balanced or even IPS-Security policies.  Just be aware that these are likely to start giving false positives and need tuning.

Here is a link about hardware sizing for Snort:  http://mikelococo.com/2011/08/snort-capacity-planning/

Bill

Figure that since the http-proxy option is already there it shouldn't be to much to just make proxy type selectable.  (http proxy or socks proxy)

that would be terrific.

@marcelloc:

@friskee:

Any ideas?

you do not need wbinfo -u. It will work only on small user lists.

wbinfo -t is all you need to know if it is running or not.

how do I know that it can successfully pull users from active directory?

Defaulting to a restricted one-category list tab does a few bad things (and probably more I'm not thinking of):
1. As mentioned previously, people will not see the tabs and wonder where packages disappeared to.
2. People will have to hunt through multiple tabs to find a package if they don't know and can't correctly guess the package category. What took two clicks before suddenly takes half a dozen and a lot more time.
3. It makes it less obvious just how many awesome packages there are. The giant list makes us look good there. :-)

I would not use tabs at all, but do search and include categories in the search. Your "tabs" could now just be shortcut links to search the category, or a search filter that does the same job.

Best thing, I think, would be that the default should be 'all packages' but have a search box right at the top. Maybe a drop down to restrict by category but it would have "All packages" as its first choice.

Perhaps something like:

[ Text Box For Search ] [Category Drop-Down] [ "Go"/"Search" button ]

Enter search terms to filter the list, or select the category from the box, press search (no text entry) would display all packages in the category.

Since the entire list of packages is known before the page is rendered, that could all be done in javascript and could do autocomplete or immediate filtering (meaning it could look like AJAX but doesn't actually make additional calls)

thank you. it's weird though because i don't see a cpu spike when i download a large file over vpn on the 1 ghz system.

If I am not mistaken, VMware had provided the drivers for FreeBSD. Don't get me wrong here.. VMTools works, not sure what one gains by installing it other then adding drivers for network cards. I can understand VMware tools for Windows etc. but for pfSense my main goal was for VXN. If the drivers don't work, I don't want to install VMTools and break my baby ;)

I was able to reproduce this on a test router, and I have posted this at:

http://forum.pfsense.org/index.php/topic,42543.msg340581.html#msg340581

Thank you, found it.

Thanks.

@SoFlo1:

I'm having a few of problems with DG and wondered if there wasn't a tweaking/tuning guide somewhere that works through all these issues.

First, the Japanese porn weighted phrase list was triggering on all kinds of random crap - like shopping for shelves at homedepot.com. So I turn that off only to find other weighted lists that keep triggering on completely random stuff. Are there better weighted lists than what the DG package for pfSense ships with are are they just generally known to be pretty useless?

Anyway, the other problem is with weighted phrases turned on, certain sites like reddit get all munged - reduced to a simple links-only kind of rendering, some graphics but no layout.

The other, other problem I'm having is inline JPEGs stripped out, but not other MIME types. I'm sure this is a setting somewhere but it doesn't seem to be as obvious to find as I would have thought.

I'm sure everyone's run across these and more so maybe you could just point me to a "living with dansguardian" link before I give up? Thanks.

I'm fairly confident this is something to do with your configuration… been using it for years with none of these issues.

MatSim,

you coul have a look at the "bypass proxy" options on squid. In my environment I bypass proxy for all internal communication.
If you bypass the proxy for some source/destination IPs then the pfsense firewall rules need to do the job for port 80 (http).

If you do not bypass the proxy for that traffic then you must configure ACLs on squid which allow/deny that traffic on port 80 (http).