:-[ :-[ :-[ :-[

Now, after 15-20 times worked!

Perhaps because I rebooted the machine before installing a new time?

:) :) :) :)

@Cino:

think i found another bug. I have 2 sensors for my WAN, one for blocking and another just for alerting. I've disabled my alerting interface but it still is starting when the service/router is restarted. If I re-save the disabled sensor, it brings it down

I think I know what the problem is and will fix it in the next release.  I have the new 2.9.6.0 package almost ready.  Thanks for the bug report.

Bill

Generally speaking, the shellcode signatures tend to trigger a lot of false positives on many networks, so I'd take that one less seriously than the malicious user agent, which is less likely to be a false positive (though certainly not impossible).

v1.2.3 packages are no longer supported, that's almost a 5 year old release now, and 6 releases behind current within a few days when 2.1.1 is released. There isn't any reason you can't upgrade them. That said, ones that worked a couple weeks ago should still work now. We're not intentionally breaking them (yet), but some are broken because they now require PHP 5.

My first guess is maybe something about those systems is preventing them from fetching files via HTTPS. Go to a command prompt and run:

fetch https://packages.pfsense.org/packages/config/filer/filer.xml

see if that succeeds. If not, try:
fetch http://packages.pfsense.org/packages/config/filer/filer.xml

I'm surprised I haven't had many responses yet. Is this because so few people use squid proxy?

So, in an effort to be proactive I took a packet capture of the 10-15 seconds when my son is logging into the game that seems to have a problem with squid proxy. There are two public ip addresses involved in that transaction, but I don't really know what to do with that information.

I'm willing to gather additional data if there is someone out there who would be willing to help.

I realize my issue is not life or death, but I truly want to learn about squid transparent proxy and this is hindering my progress.

I think it's safe to say I'm being patient. Anyone, please??

I already moved four of the large Blacklists to a cron job running a bash script, mapped pfBlocker to a local .txt file which does that process as you so eloquently described.

Shrunk the list by 50% already.

I use a remote syslog (ELSA) and it would be nice to have the pfSense syslogs incorporate the Rule that Blocked/Rejected/Passed the event. I heard this might be fixed in 2.2?

Also having a "hit count" would help this process.

I have spent alot of time on the Blacklists. Different locations get hit with different attacks. Various lists help to protect different aspects of the network.

If I had more PHP knowledge I would attempt to write some code to add some more functionality to pfBlocker.

@DmitriyTitov:

Hello!
I'm new to pfSense and snort and I got a task to block P2P traffic.
I've installed snort package, downloaded rules and enabled snort-p2p and emerging-p2p rules. I've enabled snort on LAN interface and checked "Block Offenders" and left block "Both" IP addresses. Also I've disabled all "Decoder" and "Preprocessor" rules because I've had IMAP related alerts and don't want to block hosts based on these rules.
I've started uTorrent BitTorrent client on my workstation and I nstantly had a lot of records at "Alerts" and "Blocked" tab,  but I see that my uTorrent still downloads traffic from the peer that is added to blocked!

So I have visualy working instant of snort, but it doesn't actualy block traffic. Where to search for answer?

Thanks in advance!

Another thing to consider, the automatic "default" whitelist for Snort includes all locally attached networks.  This means, for instance, that your LAN IP addresses will not get blocked even when they generate an alert.  Now if they go out to an external host, that external host should get blocked.  To ensure this happens, though, you must click the KILL STATE checkbox on the Interface Settings tab for the interface running Snort.  Otherwise the initial packet will establish "state" for the connection and all further traffic for that session bypasses the firewall.  So even though Snort might insert a block, if an entry for the session is in the state table, traffic will continue to flow around the block via the open state table entry.  Killing state when inserting a block is how Snort can get around this.  But killing state is a manual choice of the user.

Bill

So finally i was able to generate the reports .

the problem was on configuration ….

If someone else has the same problem with me ...

TODAY
-d date +%d/%m/%Y

YESTERDAY
-d date -v-1d +%d/%m/%Y

WEEK AGO
-d date -v-1w +%d/%m/%Y-date -v-1d +%d/%m/%Y

MONTH AGO
-d date -v-1m +01/%m/%Y-date -v-1m +31/%m/%Y

Hi,

I have the same setup and facing similar issue as Lemb. I've also added the list of IP's and URL's of office 365 provided by Microsoft (http://blogs.technet.com/b/neiljohn/archive/2012/01/26/office-365-proxy-server-exclusion-list-office-365-service-url-s.aspx) to whitelist of HAVP Antivirus, still facing the same issue. Outlook looses connectivity to Exchange server and reconnects very frequently. If HAVP is uninstalled, everything  works fine.

And Lemb, as I noticed you've posted this issue in December 2013. It's been 3 months that you've faced this issue, have you been able to find a solution or workaround for this issue?

Please help.
Thanks & Regards,
Gautham B

@loupalladino:

What is logged in access.log and squidGuard.log when you make the attempt with transparent enabled?

Hi loupalladino,

Thanks for the response. Sorry for the delay. I tried checking the logs under:

/var/squid/logs
/var/squidGuard/log

but I do not see any errors in either. Under access.log I do see the requests I've made.

Also note I tried removing all squid. Even when under pkg_delete and removed anything left behind. Re installed just Squid3 and turned on transparent mode and the problem still exists…

Thoughts?

Thanks

@marcelloc:

Some forum users reported that squidguard3 is not working with squid3-dev. I did not had time to test it because I do not use squidguard.

Working…

https://forum.pfsense.org/index.php?topic=73640.msg402286#msg402286

https://forum.pfsense.org/index.php?topic=73740.0 (Spanish Forum)

Do not edit rules from the Command Line. You can severely break pfSense if you make a mistake. All Snort Rule changes should be made from the Web GUI.

(Change the WAN to LAN depending what you are trying to achieve)

Step 1-
Snort:WAN Interface EDIT:WAN Categories and make sure that ET Policy has a checkbox. If not select and restart the interface.

Step 2-
Snort:WAN Interface EDIT:WAN Rules (Select ET Policy Category)

CTRL-F (search for dropbox to enable the rules that are already defined)

And enable/disable the rules this way.

If you want to create a local rule, you would enter the rule

Snort:WAN Interface EDIT:WAN Rules - Custom.rules

for https you either need to use mode 'TCP' or use haproxy-devel package and use mode 'https' or use 'http' with ssl offloading and configure certificates on pfSense.

Only the haproxy-devel package has the more advanced ssl options.

the solution is to go to pfsense gui -> services -> proxy server -> general and set the "Resolv dns v4 first" checkbox

fetch missing libs.

i386 help thread
https://forum.pfsense.org/index.php?topic=62256.msg373791#msg373791