@fsansfil:

Hello,

Is there a way I can force update the Suricata geoIP DB?

Yes, you can manually do this from the command line.  Execute this command at a shell prompt –

cd /usr/local/pkg/suricata && php suricata_geoipupdate.php

@fsansfil:

Can I modify a country list…lets say geoip:us,... I would like to add some IPs to it?

Well, I guess you might could manually do this if you understand the internal structure of the GeoIP database files.  Any change would be overwritten with the next scheduled update, though.  I don't know the internal structure of those files.

Bill

OK thank's for suggestion, I will try it for sure.

I just messed around with ad blocking yesterday. But I didn't use squid3 for it, I used an /etc/hosts file addition.

make a directory somewhere convenient, I used: mkdir /usr/local/www/adblock_hosts in a ssh on pfSense, install wget: pkg install wget cd /usr/local/www/adblock_hosts wget http://winhelp2002.mvps.org/hosts.txt in pfSense webconfigurator gui -> Services -> DNS Forwarder -> Advanced, add addn-hosts=/usr/local/www/adblock_hosts/hosts.txt

Optional:

set up a cron job to occasionally (e.g. once a month) update the hosts file

However, what I found was quite a few sites stopped working. Lots of sites obviously rely on an ad being served before they progress on to the next stage (e.g. serving me the video I requested). So I scrapped the idea. I then went and created my own my_hosts.txt with just a few entries to try it out, google-analytics stuff and a couple of ad servers, a dozen lines in total for now. And then put that dnsmasq addn-hosts line with my_hosts.txt.

I got it fixed when I went to "Packages" tab and reinstalled Freeradius2 by pressing on its [pkg] button.

Sorry I don't understand what you mean?

The person Jim was replying to was using Squid2 (" I have now installed just  "squid    Network  2.7.9 pkg v.4.3.6"…..")  Jim told him to use Squid3.

@Antonio_Grande:

It is possible to fix it, or it really nonremovable error in 2.1.5 x64 in ICAP?

https://forum.pfsense.org/index.php?topic=77264.msg487042#msg487042

Fix the library problems, but now I´m stucked with this error

ERROR: MIME Config Table /usr/local/etc/squid/mime.conf: (2) No such file or directory FATAL: MIME Config Table /usr/local/etc/squid/mime.conf: (2) No such file or directory Squid Cache (Version 3.4.10): Terminated abnormally

I did  the symlinks

ln -s /usr/pbi/squid-i386/local/lib/libmd5.so.0 /usr/lib/libmd5.so.0 ln -s /usr/pbi/squid-i386/local/lib/libecap.so.2 /usr/lib/libecap.so.2 ln -s /usr/pbi/squid-i386/local/etc/squid/squid.conf /usr/local/etc/squid/squid.conf ln -s /usr/pbi/squid-i386/local/etc/squid/mime.conf /usr/local/etc/squid/mime.conf

I think the best solution is squidGuard scritp points /usr/pbi/squid-i386/sbin/squid because there is no error with /usr/pbi/squid-i386/sbin/squid -k reconfigure

Wow Updated to lcdproc-0.5.7_2 pkg v. 0.9.10 and now my LCD broke sitting at server screen but no clients.. I had to fix it last time what happened this time?

Thanks for the info.  In playing around with things I really broke some other things I was trying to setup, so I wiped the server and reinstalled.  One thing I did differently was after installing squid3, I restarted it immediately, and now the problem seems to have gone away.

Thank you for the help.

@okaenrique:

Hi!

I use Snort 2.9.7.0 pkg v3.2.3 it is so many Alert Log but i cant see any Blocked Hosts Log ??

help please

in my pfsense

Alert Settings

Block Offenders Checking this option will automatically block hosts that generate a Snort alert.
IPS Policy Selection   Snort IPS policies are: Connectivity

is any option i have missed ?

Compare the IP addresses in the alerts with your local networks.  Remember that by default your local networks are not blocked.

Another possibility is the blocks are happening but then clearing out automatically before you see them.  What value is the "Remove Blocked Hosts Interval" set for?  This is on the INTERFACE SETTINGS tab.

Bill

@cjbujold:

We use the new Snort IP Lists option for whitelisting some key users.  Is it possible in the list to place comments identifying the user.  In the snort suppress list we can place a comment by using the # sign before the comment.  Those this option exist in the IP lists for whitelisting or blacklisting IPs?

Thanks
cjb

Yes, I believe Snort will understand and skip comment lines.  However, the comments will not be parsed and used in any way.  In other words, they won't appear in any logged output.

Bill

@marcelloc:

@firefox:

how do i do that ?

Disable HAVP integration and test squid package only.

Once you get it working, test havp.

I guess I've done it
That's the only way I had Internet access
Only I did not know
The test is done like this

thank you both

@fsansfil:

Working like a charm. Thanks Bill.

Alot of fun to see which engine catches what when the other doesnt

F.

Thanks for the feedback.  Glad to know it works like I intended.  I just had never tested it, though.  Since one day the plan is to implement inline mode that will not require an alias table, I never pushed the pfSense guys about adding a new built-in alias table just for Suricata.  The Snort table was added well before I ever even knew pfSense existed.

Bill

No luck with anything, doesn't look like it is a high priority for the devs, there hasn't been any code changes on the git repository for this package  :(

If I block port 443 that will cause https to fail right?  If I want to make that work, can you point me to the instructions for making that work i.e. block when needed.

Thanks!
Rob

is there anyway to get the antivirus to work?

No idea, but then I don't use that stuff.  I played with the Clam package but it was slowing down our link too much, and we already subscribe to a large vendor AV solution on all clients and servers here so the Clam stuff was redundant and less effective.  I know the new 2.2 using HAVP, but I still won't use it.

@PfChris:

Hi bmeeks,

i had "auto management" on and the Alerts File set to 500KB.

Changed it to 50MB and will now check if the "problem" occurs again.

Besides the "N/A" - does it work like it should?
If the N/A is only a "cosmetic" thing then i don't mind at all - as long as snort is working properly

Thank you for your help

Most assuredly it works.  The "N/A" is purely cosmetic.  The blocked IP is in the blocking alias table (the <snort2c>table) or else it would not show up on the BLOCKED tab.  As I described above, the "N/A" simply means the alert log got rotated and so the GUI can't find the old alert description to display.  It does not mean the block is invalid or anything.  It just means the GUI code can't find the old rule description to show you (since it got rotated with the older alert log file).

Bill</snort2c>

i've been using monit I think since 1.2 days… Great little tool! If I ever start to learn to code, this would be probably be my first pfSense package.

:) Thank you