@bmeeks:

@NPDF:

So, pardon my ignorance here as I am new to Snort, but I am having the same issue.  I recently enabled blocking.. And an event popped up as ET DROP Dshield Block, under Alerts but was not blocked.  You recommended to scan any IP in the alert in the block list, but the destination is the WAN IP, so it is listed - Does that mean it'll never get blocked?

On the INTERFACE SETTINGS tab where you configure blocking, there is a combo-select box for choosing which offending IP address will be blocked.  Those choices are SRC, DST, or BOTH.  SRC means block the source IP in the alert packet.  DST means block the destination IP.  BOTH means block both the source and destination IP addresses.  The next thing that comes into play is the PASS LIST.  By default, your WAN IP, Default Gateway, DNS servers and a few other IPs are never blocked.

So now, to see how the alert you mentioned would be treated, look at the SRC and DST IP addresses.  Next, look at that combo-box setting I mentioned.  Determine if it is set to SRC, DST or BOTH.  Comparing all that information should show you how Snort would have made a block decision.  For example, if you had DST selected in the combo-box control, and the DST of the alert was your WAN IP, then Snort would not block because your WAN IP is in the default "never block" PASS LIST.  However, if you had the combo set to BOTH, then Snort would insert a block for the SRC IP of the alert (assuming that IP was not also in the default PASS LIST).

Finally, remember that there is a cron job that periodically clears blocked IP addresses.  So if enough time has elapsed, it is possible that job cleared the block.  Any time the packet filter is reloaded by pfSense, that will also clear all blocks Snort may have inserted.  A number of system events can cause the filter (firewall) to reload.  Examples are a change in your WAN IP due to DHCP renewal, temporary latency or issues with apinger, etc.  Snort does not have its own block list.  It simply stuffs any offending IP into the <snort2c>alias table in the pfSense packet filter firewall.  Other things outside of Snort's control may clear that alias table.  One of those is a filter reload event.  As mentioned previously, there are many things that can trigger a filter reload.

Bill</snort2c>

Thanks for the great response! It was at the end of the day, a restart fixing my issue; But this information will help in the future if need be.

Well, some potentially bad news on the File Inspection feature.  It appears to be broken.  It is marked as "Experimental" in the README files included with the Snort source code.  I could not get it to detect even simple PDF files, and when it was enabled, Snort would die on every soft-restart command.  I have decided to pull this feature for now from the 2.9.7.0 update.

I am now about to test out OpenAppID.  Hopefully it will work better …  :-\

Bill

Not to worry I fixed it by adding to the "Custom Options":
strip_query_terms off

Now I am getting the full url.  Much better

kind regards
cyber7 (aka Aubrey Kloppers, Cape Town, South Africa)

The same situation was at https://forum.pfsense.org/index.php?topic=50366.0

And NOT only "https://www.altsec.com/2013/10/pfsense-http1-0-403-forbidden-proxy-report/" recipe can help you.

So, you can also receive the same error at next accidents:

when your's Proxy filter SquidGuard blocked web-access for the "Proxy Squid: Realtime stat (sqstat)", for example in such a case, as if you at "Proxy filter SquidGuard: Common Access Control List (Common ACL)" adventitiously set "Default access" [all] to "deny"!

when your's Proxy server Squid (version >= 3) at the tab "Real Time" displays NOTHING, this can be reached when your's parameters for the Proxy server Squid was WRONG and Squid can't serve web-requests from clients (and writes nothing - it's logs EMPTY). For example, it can be when you fill TEXT aliases in the fields for IP addresses.

@1kevinm:

I upgraded to snort 3.1.3 today.  After upgrade, snort is no longer on the services menu.  It shows as installed under packages.

I uninstalled and reinstalled.  It still does not show up on the services drop down menu nor on the services menu on the status drop down.

I also tried rebooting multiple times.

Thoughts?  or where can I find 3.1.2?

Thanks,
Kevin

This happen to me as well, the install page stopped at a starting up snort message.
Once reload, it does not show in service menu nor the statues page in service.

But for me the fix was simplely uninstall snort and reinstall it again everything went smoothly.
Not sure what could be the cause of this.

Have a read through this https://forum.pfsense.org/index.php?topic=73640.0
and its https://forum.pfsense.org/index.php?topic=79389.0
Let me know how you went.

within the actual .py I mean, what you're showing as the cron entry is fine, that part won't have any path issues.

It would be very stable with openvpn.

Hi m4st3rc1p0,

Take a look at this link:

https://forum.pfsense.org/index.php?topic=78935.msg431084#msg431084

To block the pics load this list in squidguard http://urlblacklist.com/?sec=download

And to have ssl filtering follow this https://forum.pfsense.org/index.php?topic=73640.0

Hope this helps

I apologize if this is my first post, but I am also having problems with SquidGuard + AD with users having multiple groups.

Scenario:

**SquidGuard Common ACL: Deny all

SquidGuard Group ACLs:
  FacebookAccess
    - Only Facebook is allowed, the rest blocked.
  EmailAccess
    - Only company email is allowed, the rest blocked.

AD Groups:
  FB_InternetAccess
  Email_InternetAccess

AD Users:
  JohnDoe
    memberOf: FB_InternetAccess
  SamSmith:
    memberOf: FB_InternetAccess and Email_InternetAccess**

If JohnDoe opens facebook.com and auth is success, the site loads fine. If SamSmith opens facebook.com, it will load fine, but opening his company email will not be allowed.

Checking the SG blocked logs seems to point that SG will do a first-match-forget-all basis. It would not check if the user still has other groups that will match other Groups ACLs. If this is not possible, please let me know. Any help would be greatly appreciated. TIA!

I managed to find a PHP command (under Diagnostics> command prompt> php) which restarts SQUID:

filter_configure ();

But how to execute it until the startup of pfsense? How to run a PHP command with a shell script?( I'm an amateur-no professionnal)

Just installing the pbi should have created a symlink for /usr/local/sbin/haproxy to the executable /usr/pbi/haproxy-amd64/.sbin/haproxy

Can you try uninstalling and then re-installing the haproxy-full package?

Just wanted to update the thread to let everyone know that we have added support for pfSense 2.2, the installation is exactly the same as the previous versions.  Here is a brief rundown of current features:

DNS Filtering:
  Domain name categorization using realtime cloud categorization service
  User/Group/IP based policies
  Local Domain Override (*New, overrides DNS lookups to alternate server for specified domains, ie mydomain.com uses 192.168.1.1 vs 8.8.8.8 for everything else).
  Customizable Block Pages

HTTP/HTTPS filtering:
  URL categorization using realtime cloud categorization service
  Transparent mode supported
  User/Group/IP based policies
  Force Safesearch (Google/Yahoo/Bing)
  Youtube for Schools
  URL Black/White lists
  Content Type Black/White lists
  File Pattern Black/White lists
  Customizable Block Pages

Authentication:
  LDAP integration
  Domain Controller Agent (In development, this will allow users to automatically authenticate to NSFilter when logging in successfully to the domain).

Please let us know if there are any features you would be interested in trying or like to see about having added to NSFilter, we are always looking to improve.

Also if there are any of you testing 2.2 if you would like to give NSFilter a try, we would love to get some more data points on running on the new platform.

Thanks,
Adam

;D I found the solution : for safe search the Common ACL group take the precedence over Group ACl
so you need to disable it in Common ACL and apply it in whatever group inside Group ACl

that's work for me