Sticky thread about Monitor Squid Status, https://forum.pfsense.org/index.php?topic=28835.0

pfSense version?

Package version do you want to install? There are different squid package versions.

LAN/WAN scenario? (One LAN or more, one WAN or more?).

Yes, whitelists go before blacklists. That's all.

If you need to do something like

!block_bad_words filter_some_domains !block_with_big_black_lists

you can see a trick at https://forum.pfsense.org/index.php?topic=73759.msg404261#msg404261

@BBcan17:

@bmeeks:

@BBcan17:

I noticed this in the Blocked log? Not sure how that got added? I check the blocklist and its not there.

224 255.255.255.255 (spp_reputation) packets blacklisted - 04/15/14-13:10:56
                              (portscan) UDP Filtered Portsweep - 04/15/14-10:19:22

Obviously it was a broadcast.  Could be a bug in the IP REP preprocessor code within Snort itself.  Done improperly, a test of a broadcast address could seem to match any IP address.  All the GUI package code does is set a handful of snort.conf parameters for the preprocessor.

I guess add that to the Whitelst?

Nah…I wouldn't bother.  You generally don't care if a broadcast is blocked because that is all subnet localized anyway.

@thelongdivider:

The title says it all.  Whenever snort is enable even the most popular websites like amazon and newegg are blocked by snort, as well as a couple of less common websites that are important to me.  Is there any way to unblock these sites on a website to website basis?

Welcome to the world of false positives.  It happens with all IDS systems.  You need to examine the alerts, and if you trust the web site and are sure it is a false positive, you have two options: (1) suppress the alert or (2) add the host to a Pass List.  Here are some links to the Documentation Wiki with some details on each method.

https://doc.pfsense.org/index.php/Snort_suppress_list

https://doc.pfsense.org/index.php/Snort_passlist

There is also a long thread here in the Packages forum containing known false positives and the corresponding Suppress List entries for them.  Here is a link to that thread: https://forum.pfsense.org/index.php?topic=64674.0

Bill

@BBcan17:

@Priller, Did you try to re-install Snort? Or a De-install and re-install (Make sure the Checkbox is click to keep settings after deinstall)

My bad for hijacking the original Snort problem reported.  Snort is working fine for me, it's Suricata that is exhibiting the identical problem that the OP reported with Snort.

So, for Suricata, yes I did try a de-install and re-install.  I performed that both keeping the config … and also a total removed and rebuilt the config by hand.

Looks like the dead timer is doing it (40s default), although it gets the hello messages quite regularly:

08:37:50.196698 IP x.x.x.244 > 224.0.0.5: OSPFv2, Hello, length 68 08:37:59.869506 IP x.x.x.244 > 224.0.0.5: OSPFv2, Hello, length 68 08:38:09.148189 IP x.x.x.244 > 224.0.0.5: OSPFv2, Hello, length 68 08:38:18.830889 IP x.x.x.244 > 224.0.0.5: OSPFv2, Hello, length 68

Thanks jimp!  That worked!

@mendilli:

if you want error page to bee seen for https sites, you should use squid3-dev with https transparent option

As @mendilli said, you need squid3-dev + squidGuard+squid3 for SSL Bump (SSL interception).

Steps (in Spanish), use translate.google.com

https://forum.pfsense.org/index.php?topic=73007.msg402349#msg402349

https://forum.pfsense.org/index.php?topic=73740.0

I saw strange numbers in this case:

https://forum.pfsense.org/index.php?topic=74567.0

Look for interfaces activated at your squid3-dev

And look for this reported bug, https://forum.pfsense.org/index.php?topic=62256.msg407762#msg407762

Anyone?

@adam65535:

Upgrade of the primary… Now the primary has barnyard enabled for both LAN and WAN too.  Not sure what is causing this.  Not a big deal though.  I just disabled it on the primary for both instances and the backup server got the synced snort config and is disabled there now too.

There was a little logic error I introduced into the Barnyard2 migration code that migrates old settings into the new format to support the enhanced output plugins.  I was keying off only one of two parameter that must BOTH be true for Barnyard to have been enabled under the old config.  As a consequence of only looking at one and not both, the migration script was turning on Barnyard2 if it had ever been enabled in the past on an interface.

I am fixing that for future upgrades, but for this one the damage is sort of done.  Thankfully it's not a fatal thing.  Just disable Barnyard2 on the interface again and save the update.

There are some problems with updating synced pairs with sync still on.  I recommend turning off sync, upgrading all the machines to the same version, then re-enable sync.

Bill

@pfNeo:

I did another test and I did find some files in the directory, but not the actual dll file. I found file.1 and file.1.meta.

file.1 contained the following (stripped) text

{"status":"success","url":"http:\/\/www.SOMEWEBSITE.com\/PHPFILE.php?=somecodeinphp"}

file.1.meta contains the following

TIME:              [stripped content] SRC IP:            [stripped content] DST IP:            [stripped content] PROTO:              [stripped content] SRC PORT:          [stripped content] DST PORT:          [stripped content] HTTP URI:          [stripped content] HTTP HOST:        [stripped content] HTTP REFERER:      [stripped content] HTTP USER AGENT:  [stripped content] FILENAME:          /URLPATH/file.dll MAGIC:            <unknown>STATE:            CLOSED SIZE:              126</unknown>

Thanks for the feedback.  Just got back in the country from a vacation and still catching up.'

Sorry about giving you the wrong rules file name.  It is custom.rules.  The snort.rules are all the pre-packaged rules.

As I mentioned, testing of the file capture ability in Suricata is not something I had a chance to test.  One possible issue is I may have the "magic file" setting messed up.  If you have some knowledge and want to experiment, you can edit that feature in the suricata.yaml file.  There is a "template" for that file in /usr/local/pkg/suricata called suricata_yaml_template.inc.

Please post back what you discover.  I want to get this working properly.  I have been multitasking with the Snort package and working on Suricata blocking.  This has limited my time to experiment more with this feature.

Bill

@Supermule:

Thanks a billion Bill!! Youre SO much the man of this project right now!

Thank you.  One caveat for Suricata blocking.  Initially it will have to operate the same way as Snort does using libpcap.  Thus it won't be true inline-mode IPS.  Ermal has to make some changes in the ipfw code within pfSense in order to accommodate true inline IPS mode.  However, due to the problem of context switching between kernel mode and user-land, IPS mode when it comes won't be nearly as fast as the pseudo-IPS mode Snort uses (and that Suricata will use initially).  So true inline IPS is probably not going to be very useful for heavily loaded firewalls.  That's just the nature of the beast unless you go to highly customized code, and if you do that then you can't easily follow the upstream updates.

The kernel changes to support true IPS may or may not make it into 2.2.  That is not up to me.  It is up to the pfSense team.  However, I can include the pseudo-IPS mode without those kernel changes.  That means pseudo-IPS can work with 2.1.x releases.  The pseudo-IPS mode is what I am working on now.

Bill

@BBcan17:

In my installations I see the Alerts tab showing the entries newest first.

When you look at the Blocked Page, I think it displays the first alert only for the spp_rep Alert.

If you sort by the "#" column it actually isn't in order (By date/time) which I assume should be.

Ah…OK.  I will look into that.  The BLOCKED tab does some grouping by taking a blocked IP and then finding all the matching entries for that particular IP anywhere in the Alerts log file.  So if IP address 1.2.3.4 has been blocked say 10 times in the last 3 days, when it gets blocked again, the BLOCKED tab will show all the previous 10 entries along with the current one.  This assumes two things:  (1) you have the blocks being automatically cleared on some interval, and (2) the alerts log has not been itself cleared out.

UPDATE:  there is no sorting of the grouped IP data.  That is, the code does not specifically sort by alert time when grouping IPs for display on the BLOCKED tab.

Bill

FYI

The following being enabled kept the WAN interface from turning on.

It will show enabled, but it will have that red X next to it and it refused to start.

After troubleshooting, I narrowed it down to this very specific rule (which you need to add to your exception list)

2011695 ET WEB_CLIENT Possible Microsoft Internet Explorer Dynamic Object Tag/URLMON Sniffing Cross Domain Information Disclosure Attempt Disclosure Attempt

If I disable that, then the WAN interface is able to show the green play button (running) without issue.

Honestly?

pfBlocker needs a severe diet, getting rid of useless stuff such as the GeoIP-based lists years and years old and completely useless the legacy HTML tables layout needs to get eradicated everywhere across the pfSense code these "validator" fixes caused a bunch of severe regressions (such as completely breaking the schedules) lately so IMNSHO this just should be left as it is as long it works

Goto  Advanced:Firewall/NAT  and increase the "Firewall Maximum Table Entries".