@Sander88:

Thanks! It works now. I have added "classtype:bad-unknown; rev:1;" and the alert shows up now.  :)

Quite some time back the Snort VRT folks must have changed the Snort binary such that now it requires a classtype: in a rule or it will segfault and crash when the rule fires.  I think in times past the classtype parameter was optional, but apparently not anymore.  Unfortunately very few if any of the Snort custom rules examples show the inclusion of the classtype parameter  :(

thank you all for helping me
vHost working for me
I create
Host: wpad.dat
Port : 80
Directory : /usr/local/www

but squidGuard error pages not working, can you u give any idea to configure this

Snort keeps a previous log of alerts generated by a host, but doesn't actually act based on them. Let's take an example:
host 1.1.1.1 was banned because of rule "I don't like this host because."
That was considered a false positive and added to the suppression list (or rule disabled is actually the proper procedure). Snort restarted, host removed from blocked tab.

A couple days later, the same host, host 1.1.1.1 gets banned because of rule "I don't like all same numbers in IP."

Now the blocked tab will say:

1.1.1.1 "I don't like this host because." and a date/time stamp.
            "I don't like all same numbers in IP." and a date/time stamp.

The host appears to be blocked because of 2 reasons, but snort's most recent ban is based on the most recent alert generated ("I don't like all same numbers in IP."). The older data (I don't like this host because.") is just there to remind us that a host is really really bad.

If a host gets banned again after adding some rule to the suppression list/disabling the rule, then snort's interface was not restarted. Or something else triggered on that host. If neither of those happens, then it's not the expected behaviour.

Cisco? Is that a microwave oven maker? Can't remember…...oh, THAT cisco. Yeap, snort is pretty much doomed. After they add the remote update feature. Which is needed for the remote backdoor. For remote support of course.
Disclaimer: cisco mentioned in the paragraph above is entirely fictional. Any similarities to an actual company are purely coincidental. cough

You are correct - the OpenVPN link will not route from work to-from home if both work and home have the same subnet (like 192.168.1.0/24). Packets will never get sent across the link, because the source device will think the (remote) target device is in its local LAN, because the target device has an IP address in the local subnet.
Time to choose the easiest network to change, and change it. Or even better, during the holiday season, change both. No-one will notice, they will all be on leave  ;)

739 MB of RAM is a challenge for Snort with a full rule set.  Snort is a memory hog.  Depending on the number of rules active, RAM usage can quickly grow beyond 2 GB.  If your box begins swapping RAM out to the swap file, then performance will slow to a crawl.  Currently the Dashboard does not indicate any swap usage, so that may not be the problem.

You can test Snort as the cause of your slowness issue by simply turning Snort off on the interfaces it is running on.  Just click the green arrow icon on the Snort Interfaces tab and wait for it to turn into a red X.  Snort is then stopped and is not consuming any resources nor doing anything to network traffic.  If things are still slow and you have web browsing issues, then Snort is not at fault and you know to look elsewhere.

Now if Snort was blocking a number of web sites, that can also give the appearance of being slow.  What happens is most web sites use advertising, and that advertising is served up by external sources (meaning not from the same web server as the content you went to see is served from).  Sometimes those external sources are either known suspicious sites with poor reputations that are on a Snort block list, or the external site may use some non-standard HTTP encoding that the Snort HTTP_INSPECT preprocessor does not like.  Either way the incoming ad stream is blocked.  Some web pages will pause or simply not load when any of their embedded ads don't completely load.  You may be seeing some of that behavior as well.  Properly configuring a Suppress List will help in this area.

Bill

:-\ any news of squid-dev integration with antivirus. soooo  critical.

Thanks and merry christmas

Hi Robert,

I am amazed that there are not more reactions to this issues.
It seems like a serious bug to me…

regards.

:)
Thanks a lot again.

It is working now but i don't understand how it is fixed.

Solved my own problem (sort of).  When I set up pfSense, I created a new administrator account and made it part of the administrator group and disabled the default admin account.  Apparently, the group privileges for the administrator group are not applying to the new admin account.  If I use the default admin account, everything works.  Strange.

the default status is off and it never comes on and it makes dansguardian unusable since it cant scan content.

GUI notifies that freshclam is running but i know its not. By default freshcalm does not have any permissions to run updates, i had previously activated this and fixed all permission errors, but dansguardian always shows clamav status off

I got pretty far but could not find clamd.conf as it didnt exist anywhere. Now i reinstalled everything and starting from square and need some directions.

Update: On a side-note i got squid (non-transparent mode) working with dansguardian. Just like i want: all traffic is redirected based on my 1 NAT rule, instead of having rules+multiple exceptions. I made a mistake when testing dansguardian proxy which lead me to believe that proxy wasn't working. All i need is Clamav setup and ll be greatful!!!

Update2: Got pretty far after finding a thread with same problem. Now i just need to know how to get blacklist working, DG does not download the specified list..

@denningsrogue:

Installed but the changes don't save.

Try adding the widget first, then click the SAVE button for the Dashboard itself.  After that, go back into the Snort Alerts widget, click the wrench icon in the upper right, enter a number of rows to display and then click Save in the Alerts widget.  See if that works.  It did for me.  For some reason, trying to enter and save a value at the same time you add the widget to the Dashboard failed with a session state error.

Bill

Thank you very much!

I made exception such as *microsoft.com. Everything is fine. Unfortunately direct links doesn't work, because IE don't understand CRL lists.

Thanks again

What you get on logs?

/your_domain_here/ REJECT [HELO01]

marcelloc,

Would it be sensible to add this as well?

@BBcan17:

Hi Bill,

I have been going thru the Snort rules and disabling/Enabling the ones to suit my network and I came across a few ideas.

My replies are below.  Thank you for the ideas.  Unfortunately, one of them I really don't think can ever work; however, the other two are possible.

@BBcan17:

Ability to create Multiple Snort Interfaces. Only one Interface per NIC would be online, the others could be offline.  It could also allow testing of Rulesets without compromising the Primary Interface settings.

I think the template idea suggested by user Supermule is a way to accomplish this.  It sounds like what you are really talking about is a way to quickly switch on or off a group of rules for an interface.

@BBcan17:

The ability to Copy the "Snort Interface" to another pfSense Box. This would allow managing rulesets for several boxes with similar setups.

This feature is available now thanks to user Marcelloc here on the forum.  He contributed the XML RPC sync part of Snort.  It is currently marked experimental, but in fact works quite well.  You can sync the Snort configuration across multiple boxes.  The one requirement for now is they must have the same NIC hardware so the real interface names match.  For example, em0, em1, etc.  I think the users currently making use of this sync feature are doing so on groups of virtual machines where the virtual hardware is identical.

The template idea I mentioned above might also fill this need when implemented.  Maybe I can incorporate something into the template code that would handle automatically the change in real interface names.

@BBcan17:

In Global Settings, the option for "Remove Blocked Host Interval" could be set separately in each category so that we can better control how long the Block should last for.

This one can't be done because it's not Snort that does the clearing.  Remember Snort is simply stuffing IP addresses into a pf table.  The table is called snort2c.  Once an IP is inserted there, it's the responsibility of the packet filter engine code to keep up with it.  The pf engine keeps a counter on "activity" by IP address.  In other words, it monitors the connections.  There is a cron job that the Snort package creates that calls the expiretable utility once per the interval you set (1 hr, 1 day, etc.).  The expiretable utility is given the pf table to clear and how many seconds of "no activity" must be in the stats for an entry to be removed.  The pf table has no way to store additional data about the IP address (such as what rule fired it, etc.).  This means Snort can't offer selective clear times based on rule origin.

Bill

As none other than Mr. Allan Jude himself would have said; "Patch your shit!". (not a personal attack in any way, shape and/or form. A strong suggestion to keep up to date with all software)
As suggested, always upgrade to the latest versions of everything (I'll do my psychic voodoo and say the web app being protected is something based on a no longer maintained version of a webserver, quite possibly IIS).
The proper procedure to upgrade is: First upgrade, then notify the customers of what's not working. A golden rule in my case. Any system running 1month old software (of which a new version has been available for the past 3 weeks) is to be considered compromised, no questions asked. A zeroing of the drive and,if it's UEFI*,  a new motherboard, installed with a newer version of the software is the only industry accepted practice to recover it.
As soon as a new update is available, start testing it. You have 24 hours to update the production systems, or they are to be considered highly likely to be compromised and should be treated as hostile to other hosts on the network.

My personal suggestion is to stop looking for ways to work around a 2 year old appliance and start downloading the new version.

*there are ways to flash a pre-OS exploit on a motherboard, have been publicly available for the past year. Not publicly available, well that's another story  ;)