@scorpoin said in Need to block vpn/proxies: Greetings to community, I’ve configured pfblocker-ng in pfsense 2.5.0 version . Blocked many social networking, streaming and some other categories as well it is working fine , but some users installed vpn app in there system / phones to bypass that restriction. I’ve installed snort and enable appID as well. When I enable block offender it start to block every one in network . I’ve added my system ip into passlist to avoid blocking by snort rules selected as below emerging-scan.rules <== ET open snort_indicator-scan.rules <=== ET_text vpn_tunnel <== appID Home Net : seletected the default and Which IP to block set to : Dst My only goal with snort is to block vpn tunnels , I know it wont work out 100% but it will be fine to save some of my bandwidth . Regards If you are using Snort in the pfSense-2.5 DEVEL snapshots, then you have access to its Inline IPS Mode. This will work much better for OpenAppID than Legacy Blocking Mode. Legacy Blocking Mode blocks all traffic to an IP once any alert for that IP is triggered. This is not always optimal. Inline IPS Mode will selectively drop (or block) only traffic matching a DROP rule. So if your NIC hardware supports netmap operation, then switch to Inline IPS Mode. There is a Sticky Post at the top of this forum describing how that works. Note that when using the Inline IPS Mode you will need to use the features on the SID MGMT tab to change selected rules to DROP from their default ALERT action in order to actually block or drop traffic.

@bmeeks said in Suricata blocking IPs that are on the passlist: @ELMcDonald said in Suricata blocking IPs that are on the passlist: No they are not, also not listed in any of the log's Then if the IP is not listed in an alert showing on the ALERTS tab, Suricata is not the cause. It is not possible for Suricata to block without showing the IP in an alert and on the BLOCKS tab. Just for info, blocked IPs are never shown anywhere in the pfSense system log nor in the suricata.log. So don't look for them there. Look on the ALERTS and BLOCKS tabs. IPs from triggered rules only show up on the ALERTS tab or the BLOCKS tab. I understand what you are saying. I can't get to reddit while its running and i did check it is in legacy mode. As soon as it stops I can access the site and use the app. One one odd thing, I can ping and tracert to the site with no problems. These statements prove to me that Suricata is not your problem (if you are actually using Legacy Mode). Suricata blocks everything for an IP once it blocks. That includes all ports and all protocols. So nothing would work for a given IP if Suricata is actually doing the blocking, so the tracert and ping would fail. This is especially the case in Legacy Mode. It is impossible within the code for Suricata in Legacy Mode to block just one protocol for an IP. I don't mean to be rude, but your description of the issue leads to me to believe you need much more experience with an IDS before you put it in blocking mode. Go to the INTERFACE SETTINGS tab (for your WAN, since you said you are running Suricata on the WAN) and uncheck the box for Block Offenders. Save the change and restart Suricata. See how things work then. If everything works fine, then that indicates you have a lot of learning to do with regards to how to operate and utilize the Suricata package. The things you have described as happening to you thus far do not follow logically based on other information you are giving to my questions. To be blunt, it can't be working exactly as you describe. The code just does not work that way. Perhaps you are not describing things correctly when answering my specific questions. I admitted that I have no experience with IDS/IPS. Do you have any sites that would be good for a beginner? I stumbled upon another address that my research didn't find the first time. Added that ip and did a test and all works. Turned blocking mode back off. Thank you for you help.

@bmeeks said in Snort exit with signal 10 or 11 when doing certain updates: Variations of this problem occur elsewhere in the C source for Snort (and to some degree, in Suricata as well). Other binary packages have similar issues (the ones I mentioned in my earlier post). Turning off compiler optimizations may fix some issues, but not necessarily all of them everywhere in the code. It is a very daunting problem! Oh I see - like it says in my native language: its a very deep Fountain. The compiler folks scream "fix your darn code!", and the application people say "just have your compiler make safe choices for op-codes because my code works fine on other platforms!"

@bmeeks Oh man, I had no idea! Thank you for the advice, I really appreciate it.

Just to relive an old topic... I am seeing the same thing on IGB drivers (E1000 nics). Just not in abundance. The netmap errors go away if you manually select autoselect or any other settings besides default on the interface page. Start with the interface showing the netmap errors. Chose autoselect [image: 1592125392977-3bfd1a5b-7328-4ff0-bf66-dbac81df91ea-billede.png] and the errors go away instantly.

I can't tell what exactly since you censored the content of the HOME_NET variable, but something is corrupt in there. And that value is populated with information pulled from the firewall's config.xml file and by making pfSense system calls to obtain certain information such as default gateway, DNS servers, interface IPs, etc,. Something in your system's setup is now borked and that is causing an improper HOME_NET variable to be constructed and written to the suricata.yaml configuration file for the interface. Have you made any kind of change to pfSense recently? When was the last time you know Suricata was working, and what (if anything) was changed on the firewall between then and now? That's where I would start my investigation.

@anx exactly: (I know you love to learn, this is an older post (thread) but worth reading) https://forum.netgate.com/topic/147785/pfblockerng-devel-dnsbl-cert-error Reddit threads as well, if it is possible edit: BTW: Follow @bmeeks Bill's advice, if your question falls into this group (category) and you'd get to know pfBlockerNG, there are good professionals here. https://forum.netgate.com/category/62/pfblockerng.

@NRgia said in Suricata inline mode IPS and VLANS: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=236584 After I disabled the following: ifconfig ix2 -vlanhwtso -vlanhwfilter -vlanhwtag -vlanhwcsum I can start Suricata in inline mode, on parent interface that have other VLANs. I though it was ok to share, if this is not known already. Tested on pfsense 2.5.0, but I don't think it matters. I think this is a driver-specific issue. The em series driver appears to be the one not honoring the disable option. Other drivers do (like your ix series). There are other features of FreeBSD networking that do not play well with the netmap device either. One of them is limiters (packet shaping). Several folks have reported that when that is enabled in pfSense (FreeBSD, actually), network traffic stops on the interface. Also have reports of the traffic graph function not working when netmap is running on an interface.

@NogBadTheBad said in Can I use IPS to trigger a custom action?: @NollipfSense said in Can I use IPS to trigger a custom action?: Are these instructions an example for the OP? You'd need to follow the full instructions to install homebridge and Homebridge Config UI X, then you'd get a web interface the above code I posted is to create a motion sensor that detects motion when a my nas doesn't ping. Awesomely, thank you!

@bmeeks What a fast turnaround! Thanks so much for the work.

@Cool_Corona said in Suricata Select all and change all in a given category??: @bmeeks said in Suricata Select all and change all in a given category??: Sorry, but no. That feature is not something that makes much sense to me. If you want to modify lots and lots of rules, then use the SID MGMT tab features. That tab is tailor-made for the task. I have been asked about it before and I gave the same answer then. A feature like that is not on my list. The PHP code necessary behind the scenes to keep track of possibly hundreds of checked parameters across a $_POST session call is burdensome and would be prone to errors. The idea behind the RULES tab is to let you modify just a handful of rules here and there. For largescale rule mods, use the SID MGMT tab and the accompanying custom SID.conf files. Thanks B. Would SID mgmt be a local issue or download lists available online and therefore be a potential security risk? SID MGMT makes use of text-based configuration files modelled after those used with PulledPork. Using selection features in the conf files lets you choose rules using several different criteria. You can then modify a rule's content, action or state ('enabled' or 'disabled'). There is a sticky post at the top of this forum describing the feature and how to use it. Here is a link: https://forum.netgate.com/topic/128480/how-automatic-sid-management-and-user-rule-overrides-work-in-snort-and-suricata. Enable SID MGMT on that tab and then open and read through the provided sample config files. They have comments inside and examples.

@bmeeks Thank you,

@bmeeks Understood. Thanks!

The term "hardened" does in fact mean some small customizations are done to the baseline FreeBSD operating system. pfSense does the same. Neither firewall distro uses an unmodified FreeBSD underlying OS, but so far as I know the bulk (if not all) of the customization is within the two native firewall engines within FreeBSD: pf and ipfw. What is not clearly stated in the link you provided is whether the FreeBSD versions quoted are RELEASE or STABLE. See, there is both a FreeBSD 12.1/RELEASE and a FreeBSD 12.1/STABLE version. Each version is different although both say "12.1". The STABLE branch is more "current" as it contains features and enhancements over the RELEASE branch, but those additional changes also entail some amount of additional risk that is more similar to what you expect with development versions of a product.

@bmeeks Thank you

@bmeeks ok, got it

yeah I even went into the trouble of compiling the Intel driver but still same issues, it even rebooted on me ...

@cavaco said in Suricata not Working after Cpu change: @bmeeks thank you very much after setting the memory from 32 m to almost 1000 m it started ..... , but will try with lower thank you very much Yeah, 1024 MB is probably a bit much unless you have tons of free RAM. Try 512 MB or even 256 MB instead.