@stephenw10 no it is not a bug. That is me playing with this Squid version 3 storeID program below. I was turning on debug to log my files the second I did that it was throwing errors, I learned how to spell true. hahah "“Store ID” is another name for the Squid cache key. By default, store IDs are computed by Squid so that different URLs are mapped to different store IDs. This feature allows the proxy admin to specify a custom store ID calculation algorithm via a helper program. It is usually used to assign the same store ID to transactions with different request URLs. Such mapping may reduce misses (i.e., increase hit ratio) when dealing with CDN URLs and similar cases where different URLs are known to point to essentially the same content. Store ID violates HTTP and causes havoc if URLs pointing to different content are incorrectly mapped to the same Store ID. A Squid admin lacks control over URL-to-content mapping used by external CDNs and content providers. Even if the initial reverse engineering of their URL space is successful, maintaining the Store ID helper correctness is usually difficult because of sudden external mapping changes" (wiki.squid-cache.org/). #!/usr/local/bin/php -q <?php /* This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see <http://www.gnu.org/licenses/>. Rudi Servo */ /* This is a CLI application made for PfSense and Squid 3 the idea is to use the already installed php in pfsense to do the storeid_helper. has of PfSense 2.2.6 php is on version 5.5.30 and Squid 3.4 Altough php has a bad reputation for being a continuous running application it has become more and more stable since version 5.5 now with version 7.0 it is not only stable has has many performance improvements that surpass most comon scripting languages. So there is no problem with php running this. Usage you can call out the script with many rewrite files to it or folders containing rewrite rules with .conf termination. inside the file it must have a hard tab between the match rule and and internal squid resolve */ #include a small config file, for debug and just in case something else comes up include 'conf/storeid.conf.php'; if ($_DEBUG) { file_put_contents($_LOG_FILE, 'Worker Spawn @'.date('Y-m-d H-i-s')."\n", FILE_APPEND ); } function addRules(&$rules, $filePath) { $file = fopen($filePath, 'r'); while (($line = fgets($file)) !== false) { $read = preg_split('/\s+/', $line); $rules['/'.$read[0].'/']=$read[1]; } fclose($file); } $rules = array(); $size = sizeof($argv); for ($i = 1 ; $i < $size ; $i++) { if (is_dir($argv[$i])) { $path = $argv[$i]; $files = scandir($path); foreach ($files as $file) { $p_info = pathinfo($file); if ($p_info['extension']=='conf') { addRules($rules, $path.'/'.$file); } } } else { addRules($rules, $argv[$i]); } } if (!empty($rules)) { $stdin = fopen('php://stdin', 'r'); $i_url = null; while (false !== ($url = rtrim(fgets($stdin), "\n\r")) && $url!='quit') { $found = false; foreach ($rules as $rule => $target) { if (preg_match($rule, $url, $matches)) { $i_url = $target; for ($i = 1 ; $i < sizeof($matches); $i++) { $i_url = "OK store-id=".preg_replace('/\$'.$i.'/',$matches[$i], $i_url)."\n"; } $found = true; break; } } if (!$found) { $i_url = "ERR\n"; } echo $i_url; if ($_DEBUG) { if (!$found) { $i_url = "ERR - ".$url."\n"; } file_put_contents($_LOG_FILE, $i_url, FILE_APPEND ); } } fclose($stdin); if ($_DEBUG) { file_put_contents($_LOG_FILE, 'Worker Closed @ '.date('Y-m-d H-i-s')."\n", FILE_APPEND ); } } (github.com/rudiservo) <?php $_DEBUG = false; $_LOG_FILE = '/var/squid/logs/storeid.log'; (github.com/rudiservo) I am trying to get better dynamic cache hits. [image: 1693581408262-1693549726245-8b56b38b-a13d-470c-9466-dd7890bd9912-image.png] Have you played with this ever? Again it should say refresh and not hit right? The wiki status codes are confusing also. [image: 1693581481143-screenshot-2023-09-01-at-8.17.47-am.png] [image: 1693581522777-1693464952581-screenshot-2023-08-30-at-11.47.10-pm-resized.png] Ref: https://github.com/rudiservo/pfsense_storeid/tree/master https://wiki.squid-cache.org/Features/StoreID https://wiki.squid-cache.org/Features/StoreID/DB

@provels said in WIFI Malware Using Geolocator...: what does this get the hacker? Maybe just to know the GPS info of where this WIFI lives...if the hacker lives aboard, maybe it's an invitation to visit... @provels said in WIFI Malware Using Geolocator...: what does Google even gain from providing this service? More info about a potential revenue source for Google to craft and perfect their approach to extracting wealth from client's pocket to fatten their shareholders. Remember, Google is in the business of extracting wealth through behavior modification of those who use its services.

@chasinreno It doesn't sound like the firewall itself failed you. What kind of bot was it? How did it come in? How and where did you find it? The firewall CAN do AV scanning but if it was sent over an HTTPS connection then it would need to perform a MITM attack in order to be able to scan the download. AV scanning is best left to being able to view it in an unencrypted format, like directly on the PC. Paid AV has extra features like better scanning for fileless attacks, advanced script protection, or firewalls but I've found the real strength of the paid versions is the management, reporting, and support during an infection. In this case it sounds like the firewall did its job. It found malicious traffic going across the network and stopped it. IDS/IPS protects network traffic by, essentially, profiles. It protects based on the reputation of the remote network and the type of traffic being sent. It doesn't determine whether that traffic is good or bad. For example, if I want to port forward for SQL queries but I've blocked that in my IDS, it will be blocked. It doesn't care if it is me (good) or an attacker (bad). In this case, you downloaded a file (a legitimate type of traffic) from a site not blocked via IDS/IPS (a site with a neutral or better reputation) but then that file began sending traffic the IDS/IPS didn't like (NOT legitimate traffic) maybe to a site that was blocked (perhaps a poor reputation. That's what's supposed to happen. What appears to have failed you is your AV. It's best to figure out what got in and how, upload the infected files to virustotal (for crowdsourcing) and report it to the AV company. What was the infection and what was the AV you were using? When you upload it to virustutal it should give you a like. Post it here, I'd be curious to see what it was.

@velbon the only thing needed from pfsense is the config xml file.. Its very very small - do you not have a copy online with the pfsense ACB.. https://docs.netgate.com/pfsense/en/latest/backup/autoconfigbackup.html You should prob set that up going forward.

@DKenn Thanks, I did find out and it seems to have been ordinary spam, just formatted very well so the filter missed it. All good I hope

@rcoleman-netgate Yeah @smokethrower2 if you can install OpenWRT or something then this would make your life easier, otherwise just getting another AP is probably the easiest route to go (not saying there aren't other solutions though).

@Gertjan It might have been pulled in, when i installed iproute2. I did that in order to play with some VRF "lookalike" on linux. /Bingo

https://www.bleepingcomputer.com/news/security/super-admin-elevation-bug-puts-900-000-mikrotik-devices-at-risk/

@RobbieTT yes pps is a very important number true.. What I meant by wire speed is you can see gig (or what is expected on gig) you would never actually see gig, etc. Or 2.5 or 5 or 10, etc. Your not going to see 2.5Mbps with imix was my point.. Thanks for the clarification..

@pV5 I would always favor getting a Netgate for two reasons. Helps supports the project and how people get paid. reliability and security from a trusted source. Netgate is installing the software. Netgate is delivering the patches. Netgate updates the firmware. The supply chain is at the very least secured and its controlled by a known source - Netgate. The Quotom box is cheap but sketchy. Lots of different variables in getting that mini PC into the hands of consumers. Who updates the BIOS? Who updates the drivers? Even if you wipe the installed software and re-install pfsense yourself that doesnt mean you havent already been exploited.

@RobbieTT said in NTP = Amateur: At £4000 to £5000 Pro is anti-cheap.