Informative!I really appreciated it.

I dont have any idea 'bout the sessions or caching sessions.I think should go deep on this.
At least I know its possible,enough for now.

Thanks for the help.

You might also try looking for an error along the lines of BAD-TRAFFIC TMG Firewall Client long host entry exploit.
That message is triggered by a bad traffic rule that looks for odd traffic on port 53, which happens to be DNS.
If you have a lot of these in your alerts of blocked log, chances are that some or all DNS replies are being blocked by snort.

Varnish, postifix, haproxy.

You do not need carp enabled to use it.

emerging threats rules change all the time so if you enable a rule and later update the rule set there is always the possibility that you are attempting to load a rule that no longer exists in emerging threats. That will give you your error.

Dear all,
I figure out that the Y!M version 10.0.27 didn't use the default port 5050.
After i update Y!M to another version, it use port 5050 and seem to be OK with imspector.
Thread close, thanks all

Yes, you have to balance the web traffic from the localhost instead of the traffic for you lan clients.

libwrap.so.6 is not part of a package, its part of FreeBSD.
It appears the package you are attempting to use is newer then
FreeBSD 7.0-Release, which 1.2.3 is based off of.

ls -al /usr/lib/libwrap.* will show you what files you have. You probably
have libwrap.so.5

Using ln -s, you may be able to link libwrap.so.6 to libwrap.so.5, and it
may work. But it may also not work / melt your box / kill your cat…

Otherwise, try installing the package for a 7.x variant (not sure when
libwrap.so.6 was introduced)

thanks for you reply.

ezjail is working much better then pfjctrl.

If you are doing patches, means that you know what you are doing.

backup your vm's, uninstall pfjctrl and install ezjail.

ezjail-admin will help you creating new virtual machines with freebsd 8.1.

follow ezjail build steps on a freebsd 8.1-p4 and you will have same version on pfsense and jails.

As pfsense2 has been release there is no problem on migrating pfjctrl to ezail.

I'll try to start it soon.

Today the package listens on all interfaces at port you specified.

To have multiple varnish, you can copy conf file and put a second daemon startup at gui advanced startup option.

When using multiple varnish, you will need to name each one with -n arg.

sample advanced startup options

-n apache #set name on default daemon #startup second daemon /usr/local/sbin/varnishd \     -a :3129 \     -n squid \     -f /var/etc/squid.vcl \     -s malloc,2048MB \     -w 32,1024,300

I will find a way to change setup To let you choose interface and auto name them.
Wait for pkg v 0.9.

Thanks for your reply.

Snort is working great here.
2.0 Release 64bit
All pre-processors on
Lots of rules enabled.

Works after reboot.
2gb on a vnware vm.

I did have to follow other posts by uninstalling/reinstalling to get it running the first time when we were in the RC stage.  Also if I had known so rules were only 64 bit, I would have installed 32 bit pfsense.

Apparently this is a recent issue.  There is a fix over here:
http://forum.pfsense.org/index.php/topic,41180.0.html

For those who dont feel like reading the thread (Please DO though– and COMMENT so that it gets fixed :D ), or for those from google:
@gusdvg:

Ok so I added an error handler to the openvpn-client-export.inc file such that warnings are not printed to the exe. Tried and it works again!

If you want to try this, edit /usr/local/pkg/openvpn-client-export.inc and add these lines after the require_once lines at the beginning of the file:

function ignoreError($errno, $errstr) {   //does nothing... } set_error_handler("ignoreError",E_WARNING);

I guess the problem still remains if you need to add additional options, but I have little time at the moment and this patch will do for now.

@marcelloc:

Pfsense rules are set on source interface. The rule with destination To blacklist must be on lan.

I set the rules up on the appropriate interfaces based on source and destination IP, but Snort sees (and then blocks) offenders that should be covered by these rules.

The rule covering destination to blacklist is on the LAN interface.

The rule covering source from blacklist is on the WAN interface.

Still, Snort sees and blocks traffic covered by these rules.

I still have these questions:

Perhaps someone can clarify both the Snort alerting on hosts blocked by a firewall rule (Snort gets the packets first?), and Snort behavior in pfSense when a Blacklist and a Whitelist host are both involved in an alert.

No, only for internal smtp servers.

I think pop3 protocol is getting quite old. I'd prefer IMAP.

Pop3 wastes bandwidth even using p3scan or other tool, you need to download all messages to then see if you want it or not.

You can build a virtual machine an try to install freebsd p3scan package. if it works as you expect install on your firewall.

So I updated the firewall this morning from 1.2.3 to 2.0 and now the proxy is working 100%… Not sure what changed or anything but very happy with the new release.

Thank you guys. Keep up the awesome work on a fantastic product.

I saw the same thing at varnish report.

Every time you apply settings, it will be included.

Make report simple and it will never return.

Hi, I'm also new to snort…

I'm just wondering if there is any easier way to search for a rule.
I have a lot of them and when I want to review one upon an alert,
I have to do find the matching one by hand.. The same with suppression....

CPU usage on my Atom D525 X64 with Snort enabled is really low, like 1%