Thanks guys for your replies. Just to clarify so pfSense allow users to have two interfaces (LAN and WAN ) on SNORT so users are able to choose whether to set SNORT on LAN/ WAN or both depending on where does pfSense is install (public facing servers or not?) and how do the user want to protect their network ?

Apparently these packages are all screwed up in 2.2. Getting nothing but TCP_Miss/503 and other similar errors with Squid3 all by itself. I'm not even touching dansguardian now and these are the issues that I am getting. So frustrated with this.

i never had to set up sip proxy on the phones to get it to work and everything worked fine on 2.1.5. ill try to upgrade to 2.2 again and set the proxy on the phones to see if that fixes anything. it's strange.

It was broken and fixed a day later.. v0.20 should have had the correct files though.. the fix and version bump to 0.20 where both done in 1 commit: https://github.com/pfsense/pfsense-packages/commit/14f241199fde80e9e29b68ca4ceb3c046e7662c7

There have been a few reports of this - something happens to php-fpm.
It does not happen [often/for many people] and so the root cause and the fix have not been found.
If you have any interesting observations about our system, and anything interesting in logs then please post.

Sorry to not be of any direct help!

Yes. Re-installed many times. Tried a restart. Still the same error as seen here:

Feb 15 13:33:45 php-fpm[94349]: /pkg_mgr_install.php: The command '/usr/pbi/squid-i386/sbin/squid -f /usr/pbi/squid-i386/local/etc/squid/squid.conf' returned exit code '1', the output was '/usr/pbi/squid-i386/local/sbin/squid: Undefined symbol "_ZN7libecap4NameC1ERKNSt3__112basic_stringIcNS1_11char_traitsIcEENS1_9allocatorIcEEEEi"'

@power_matz:

Thank you for your answer.

Here are the facts:

Filesystem          Size    Used  Avail Capacity  Mounted on /dev/ufs/pfsense0    1.8G    295M    1.4G    17%    / devfs                1.0K    1.0K      0B  100%    /dev /dev/ufs/cf          49M    1.4M    44M    3%    /cf /dev/md0              38M    680K    35M    2%    /tmp /dev/md1              58M    18M    35M    34%    /var devfs                1.0K    1.0K      0B  100%    /var/dhcpd/dev

It should be sufficient, or?

No, your /tmp and /var partitions are probably too small depending on the exact number of rules you have.  You want at least 100 MB available and you are showing only 35 MB available.

Bill

[bump] last call for help before I just nuke and pave.

Update 28/02 for anyone who encounters a similar problem:
Backed up configuration, nuked, paved, restored config. Issue was resolved. My guess is that an update failed in the middle of writing files or something similar and borked some download functions.

It's a browser related config. Not pfsense or proxy. If you are on internet explorer try a real browser instead.

@enivre1717:

Because my boss want to know what is the pros and cons of using barnyard in SNORT. I can't find any from google.

https://github.com/firnsy/barnyard2

Read the description part.

Basically you use barnyard2 to send alert and other data to a SQL database and then use something like Snorby (https://snorby.org/) to view that data.

This isn't really something that you can make a pros/cons list off. It's something you need or don't.

The "old" squidGuard package for 2.x didn't work. Not even for 2.x. However the -squid3 variant works for both 3.x and 2.x now, so I combined them back into one package. The current "squidGuard" is the same as the old "squidGuard-squid3" – only difference is the name. :-)

@jflsakfja:

Don't care about real time lookups, but a per minute lookup would be nice to stick into a variable. Just saying… ;)

Can't pfsense's existing setup be used for that? Since the majority will be doing their realtime lookups through unbound, it should be pretty fast, even when used in realtime, with regards to keeping up with traffic.

Not talking about a 10Gbps snort (don't even know if it can push up to that)/suricata looking up a billion IPv6 addresses. Talking about sticking an alias to suricata, having it look up a single (or few) hosts to allow for a VPN for example to be tightened down. Used with an allow only VPN access from this host suricata rule, for example. Yes that can be done with normal pfsense rules, but it's an example.  :D

Sorry for taking over the thread Mr. Jingles, but I fixed it near the end  ;D

I have considered perhaps leveraging the filterdns daemon and its alias tables within pfSense to allow some small level of FQDN support for pass list entries.  It would take some significant mods to the way the old Spoink output plugin for Snort has been engineered.  Today it reads a simple text file of IP addresses and stores them in a linked list in memory once at startup.  Whenever a "block or no block" decision is required, that in-memory IP list is scanned to see if the source IP, destination IP or both are in the list.  If true, the block is not inserted into the <snort2c>alias table in pf.  Of course the "which IP to block" setting is also part of the logic.

Bill</snort2c>

follow main pfblockerNG topic, there are a lot of information there.

https://forum.pfsense.org/index.php?topic=86212.360

BTW, most config tabs has a lot of information on how to configure.

Yes for the reverse proxy

I don't think it's a domain issue

Some settings are sticky. I remove them from the GUI but Squid RP still uses those settings.

ok, I believe I found a work around.
First install Squid3
Second, disable the Antivirus and hit save
If you are using Transparent proxy make sure you select your proxy interface and save

Once you do this Squid should fire.

If you want to use Squidgaurd then you'll need to install, check your configuration and then hit download to download your block list. For some reason squidguard won't fire if you hit apply or save in the main menu. If it still doesn't fire go back to the main menu, hit apply then save then go back and tell it to download the block list again and it should fire once it finishes downloading and installing the block list.
This is the only way I can get squidgaurd to work. If you follow the download with hitting apply or save again squidgaurd will stop.

Good advice above from jflsakfja and fsansfil.

In my view it is sort of like preferring vanilla over chocolate when choosing an ice cream flavor.  It is a case of personal taste.

If you have a paid Snort VRT subscription, then those rules are updated twice per week (on Tuesdays and Thursdays).  The Emerging Threats Open rules (ET-Open) are updated pretty much daily, but they cover a subset of the threats that are covered by the ET-Pro (paid) rules.  The ET-Pro rules are also updated daily.  Currently an ET-Pro subscription is $499/year.  The Snort VRT (for home use) is $29.99/year.  There are free Snort rules available that only require you to register, but they are 30-days old (meaning no protection for any threats newer than 30 days).

So if you use the totally free rules from either Snort VRT or Emerging Threats, you have to accept the fact you are not protected from all of the current threats.  However, as jflsakfja said, you can compensate by writing your own custom rules for either package (Snort or Suricata) if you fully understand your network and have a good grasp of the signatures for current malware threats.

In my view, neither package is necessarily "better".

Bill

Well, crap.  I found out my issue is this:
https://forum.pfsense.org/index.php?topic=40622.msg479547#msg479547

Apparently pfsense 2.2 security sysctrl option does not allow non root users to listen on low ports - and /var/spool/postfix is owned by the postfix user.

All right. Thank you.

Nicolas