If you want to capture all of those IPs on that page without doing it manually, you could run the following script:

You can change the link or Folder/File Locations or pipe it to a file.

#!/bin/sh fetch -v -o /tmp/ips.raw "http://bgp.he.net/search?search%5Bsearch%5D=spotify&commit=Search" grep -aoEw -e "(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0 -9]?/[0-9]{2})" -e "(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0 -9][0-9]?)" /tmp/ips.raw | sort -t . -k 1,1n -k 2,2n -k 3,3n -k 4,4n | uniq

23.92.96.0/22
23.92.100.0/22
23.92.104.0/22
78.31.8.0/22
78.31.12.0/22
192.121.53.0/24
192.121.132.0/24
192.121.140.0/24
192.165.160.0/22
193.181.4.0/22
193.181.180.0/22
193.181.184.0/23
193.182.3.0/24
193.182.7.0/24
193.182.8.0/21
193.182.243.0/24
193.182.244.0/24
193.234.240.0/22
193.235.32.0/24
193.235.51.0/24
193.235.203.0/24
193.235.206.0/24
193.235.224.0/24
193.235.232.0/22
194.14.177.0/24
194.68.28.0/22
194.68.116.0/24
194.68.169.0/24
194.68.176.0/22
194.68.181.0/24
194.68.183.0/24
194.71.148.0/22
194.71.232.0/22
194.103.10.0/24
194.103.13.0/24
194.103.36.0/22
194.132.152.0/22
194.132.162.0/24
194.132.176.0/22
194.132.196.0/22

@willdashwood:

Hello,

I know that the recommend way to manage things is via the web gui but I prefer using SSH for search for IP that are blocked. Unless I'm missing something, the web gui doesn't seem to have the ability to search for IPs on either the alert list or block IP list so I just use grep

grep IP /var/log/snort/snort_igb163179/*

So I'm happy with that but when I find a rule that's been triggered and it's a false positive, it would be handy to be able to suppress that rule via SSH. What's the best way of doing so?

I can see our suppress list is here:

/usr/pbi/snort-amd64/etc/snort/snort_63179_igb1/suppwansuppress_5436571eeaef6

So I could just append the rule ID to that file but presumably I would need to restart the service for it to take affect and I'm not even sure how to do that via SSH. Is there a better way?

Thanks

Will

Sorry, but no better way.  You have the basic mechanics for part of the process down, but your solution will not be satisfactory in the longer term.

That's because there is one big problem there is no solution for.  The text file you found is recreated each time a SAVE operation occurs within the Snort GUI.  It is also recreated each time the rules are updated by the automatic update process.  This occurs by the GUI calling a custom PHP function within the Snort GUI code called "sync_snort_package_config()".  So changing that text file will prove to be very short-lived.

You can restart Snort easily by executing the rc script and passing it either "stop" and then "start", or just "restart".  The script lives here:

/usr/local/etc/rc.d/snort.sh

So something like this after updating that text file you found:

/usr/local/etc/rc.d/snort.sh restart

As mentioned above, this is really not a long-term solution.  The actual content of the Suppress List is stored as Base64 data within the config.xml file containing the entire pfSense configuration.  The contents of that data is what gets actually updated during the SAVE operation, then it is decoded and written to the text file you referenced.

Bill

@jimp:

1- Menu option 13

2- Copy /conf/config.xml

I didnt have console access, however I got it figured out :)

Does restarting the GUI and/or PHP-FPM from the console/ssh help?
I can't seem to reproduce it here but I'm on a current build.

Unfortunately I suspect the critical funding level will be higher than any bounty can raise in purely economic terms. More likely someone who does IOS apps everyday will find themselves wanting this and just do it.

There is already a 'mobile' theme that is triggered by detecting the client as IOS or Android (or by thee browser version?). It would seem to be quite straight forward to have an 'app' send a user agent string that triggers a different theme.

It would be nice to have something that didn't rely on the webgui at all. It might be completely impractical, I have no idea. I could imagine something that connected via SSH and edited the config file. Would probably be far more work though.

There must be other similar management apps that have solved these problems before, lets not reinvent the wheel here.

Steve

Status->Traffic Graph might give you enough info now to get you looking in the right place without installing other packages..

Thank you, Steve.  I appreciate your insight.

Hmm, you've bridged three different types of interface. Does the error appear for all three types?

Steve

Hi Firewalluser thank you for your reply..much appreciated..I will try that for sure :)

Have you actually tried just replacing the binary?

Steve

Hi,

You've probably figured this out now, but on the Firewall/Aliases page, to the top-right is a cog. If you click this, then select the table corresponding to your alias' name, you can manually delete entries without a reboot.

Dooby

There have been a couple minor things found/fixed after 2.1.5, but the only one of any note is the GUI issue that some have with cached CSS and/or local fonts that can cause the Help menu to wrap under the system menu. Search around, there are probably a dozen or more threads about it, but it's easy to work around and does not impact traffic or services.

Post editing is only available for a limited time, 14 days perhaps. I'm uncertain.
It used to be much longer which was handy for someone like me who makes loads of typos, I would correct them whenever I read back through a thread. The downside is that by editing older posts you are changing the historical record. It's possible to make sn otherwise useful thread completely unreadable by removing some piece of key information.

Steve

Upon further searching, it appears that it is not actually a fully-implemented feature… https://forum.pfsense.org/index.php?topic=68512.0

Any recommendations of how I could use an already-created CA to generate a certificate with some other cert creating software? (or via commandline in pfSense)

Probably because you're hitting the firewall's web interface instead? No split DNS or reflection (search doc.pfsense.org for those) enabled would give you it instead of the server.

If you proceed past the cert warning, and actually are on your internal server, then it's something to do with the server itself.

All those sort of changes (WAN IP address and/or netmask) happen on-the-fly without reboot. So I am not sure what happened there - I guess some confusion between the upstream device and pfSense WAN, who knows! Glad it is working now.

I'll give you one example I went out and saw in the field last weekend. TOURtech, "the market leader in providing temporary network solutions for the events industry", runs all their Internet traffic at events through a HA pair of pfSense boxes. They do the networking for many large events. Last weekend, they invited me down to see their impressive setup at ACL Fest. It's a significant network across the site, with all their Internet traffic (payment processing and other mission-critical things to the event) running through a pair of our C2758 appliances.

@acriollo:

maybe something like CISA CISM CGEIT CRISC ?

Those are certifications for people, not software.

@charliem:

Maybe he refers to Safe Harbor; Cisco certifies certain IOS (old) releases, or they used to anyway.

That's a QA thing of sorts, and maintaining old software for certain usage cases. Don't think that's really relevant here.