Snort 2.9.2.3 pkg v. 2.5.0 Issues
-
I confirm that after the installation of the latest package (2.5.1) the issue of blocking whitelisted IPs has been resolved! :)
If I am right the problem with the auto-update is still pending.
@miles267: Please install the latest package and you will find there the SSL data Preprocessor.
-
I just updated the snort package and now upon restart its giving me
Jul 22 12:38:41 snort[26253]: FATAL ERROR: /usr/local/etc/snort/snort_44959_re0/rules/snort_botnet-cnc.rules(372) Unknown rule option: 'ssl_state'.
Jul 22 12:38:41 snort[26253]: FATAL ERROR: /usr/local/etc/snort/snort_44959_re0/rules/snort_botnet-cnc.rules(372) Unknown rule option: 'ssl_state'.I havent changed my rules/categories. The same as i have been running for some time.
Good news was when I updated I didnt get the errors in the system log like i did before upon completion of the install.
I noticed a new SSL option on the preprocesser Tab.
Enable that option and restarted no issues/errors so far.
I want to say thanks for all the work you all have been doing on this package to keep it updated/adding new features/ resolving bugs.
I cant imagine not having snort up and running. :-)
Where is this SSL option? I do not see it on any snort preprocessors tab. There is an "Sensitive Data" option although after it's checked, I'm not quite sure how to use or configure it?
What version are you on? I am on 2.9.2.3 pkg v. 2.5.1
On the preporcessor tab (within the interface your monitoring) right above enable sensitive data is one that says enable ssl data. That is the one I turned on. If the option is not there, I would suggest upgrading or reinstalling the package. -
ermal,
If you need preprocessor x for rule x there should be a better linkage of that, or displayed somewhere.
it's even more complicated, because snort allows to maintain state info between different rules (the "flowbits" stuff). In order to get a consistent set of activated preprocessors and rules, one should also scan all enabled and disabled rules, look at the required preprocessors and the corresponding flowbits statements (set, isset, …). If you view all these items as resources, a dependency graph should be created and then evaluate the graph for all activated items and write the proper configuration files, which might include activating previously disabled rules.
Is it worth it? I typically have only a few manageable rules and hardly need anything more than http_inspect (more or less), so I wouldn't need it. But, it might be a cool feature---you click on a single rule, dependencies are evaluated, and dependent rules and preprocs are "drawn in" by a ghost hand.
-
ermal,
If you need preprocessor x for rule x there should be a better linkage of that, or displayed somewhere.
it's even more complicated, because snort allows to maintain state info between different rules (the "flowbits" stuff). In order to get a consistent set of activated preprocessors and rules, one should also scan all enabled and disabled rules, look at the required preprocessors and the corresponding flowbits statements (set, isset, …). If you view all these items as resources, a dependency graph should be created and then evaluate the graph for all activated items and write the proper configuration files, which might include activating previously disabled rules.
Is it worth it? I typically have only a few manageable rules and hardly need anything more than http_inspect (more or less), so I wouldn't need it. But, it might be a cool feature---you click on a single rule, dependencies are evaluated, and dependent rules and preprocs are "drawn in" by a ghost hand.
I'm still a Snort rookie, but aren't the above tasks exactly what the Pulled Pork help application is supposed to accomplish automatically? If so, is there a way to incorporate it into the pfSense build of Snort? I will do some more research on how Pulled Pork operates, but off the top of my head I seem to remember it was a command-line utility (Perl script, I think) that does the magic.
-
bmeeks,
i am not sure that you can tell pulledpork these are my preprocessors make my snort start!
-
bmeeks,
exactly. I haven't used PulledPork so far. Perl would again be part of the Snort package. I'd think that evaluating PulledPork should be done and then coding should be in php. GUI-wise only an option "Enable auto dependencies" or s.th. like that would suffice. Generating the dependency graph should not be too difficult.
-
Sorry, but I need to go home now…
-
@ermal:
bmeeks,
i am not sure that you can tell pulledpork these are my preprocessors make my snort start!
Ermal:
From my limited research, it appears Pulled Pork offers three pre-defined rule sets that automatically enable or disable particular rules (and I assume associated preprocessors). You choose a protection level by choosing a rule set, and Pulled Pork does the rest (I think… :)) The pre-defined rule sets are Connectivity, Balanced and Security. Of course, you can still individually select rules for enabling, disabling or modifying. Pulled Pork remembers those changes across rule updates. The Snort blogs say it also makes sure the correct Flow Bits dependencies are set for the activated rules. In fact, the Snort blogs now say Pulled Pork is a requisite for running Snort optimally.
So if Pulled Pork were integrated into the Snort GUI in pfSense (or maybe available as a separate package that integrates with the Snort package), then novice pfSense users would have an easy way to select a starting rule set based on their security needs. Connectivity preserves speed and connectivity above pure security. Balanced is a blend of both, and is recommended for new users and average users. Security targets threat protection above connectivity and performance.
One idea I had was the addition of a Pulled Pork tab into the current Snort tab layout. On the Pulled Pork page you would choose a pre-defined rule set from the list of three based on your needs. The selected GUI values would get translated into config values for Pulled Pork, and then the Pulled Pork script would be called to "do its thing".
-
I'm now intrigued by Pulled Pork. I saw the .tar.gz file available on this site: http://code.google.com/p/pulledpork/
How do you install it under pfsense and run it? I think many can benefit from these instructions. Wasn't even aware that it existed.
-
@ermal:
I removed subnets/cidr mask from auto generated addreses for whitelist and you can put them with the alias you configure if you want.
I bumped the package to 2.5.1
Thanks a lot Ermal, now my WAN ip addresses don't get blocked anymore!
Cheers,
Michele -
Hi guys,
there is no permanent fix (included in the latest package) for the auto-update issue yet, right?
The duplicate log entries of snort in the system log is something related to pfsense and not snort? :-\ -
auto updating works with 2.5.1
-
Thanks Ermal! Im away from my box but was able to update remotely. Whitelist only, seems to be working the way it was in the past. My WAN isn't being block. With the way everything is now, we need away to Whitelisttt subnets. I would suggest changing Netlist back to the way it was. Where an .IP or subnet would be exempt from being block. Default list would include interface IPs, DNS, VPN subnets,etc (whatever was there before)fore). it would be up to the user to create a custom NETLIST if they didn't want certainn IPs that were included by the default NETLIST(HOME_LIST)
-
I thought I'd wake this thread up and let you guys know I just had the same problem as previously listed in the thread. I had all of the above problems. I had to uninstall Snort, remove anything snort from command line including un-ticking the "Keep settings" option in snort prior to removing snort and reinstall to resolve a couple of the issues. Then I had to un-tick Enable Sensitive Data to get Snort to fire back up correctly.
Was a bit of a pain and I'm concerned the Snort breaks so often. As it is I have to fire Snort back up every time it auto updates -
I pushed some fixes that should help with snort not starting after rule update.
Reinstall and test.
-
@ermal:
I pushed some fixes that should help with snort not starting after rule update.
Reinstall and test.
I installed this update, now I'm unable to install snort rules (ET works fine). I did a full reinstall, including deleting all my settings(!) and rm -rf any directories containing 'snort'. Unfortunately, system log gives vague error:
Nov 2 09:59:43 php: /snort/snort_download_rules.php: Snort rules file downloaded failed…
-
New Pfsense user here. Still seems to be an issue with auto updates.
I'm running Pfsense 2.1 latest build and latest Snort Package with auto updates on. The first auto update performed crashed/disabled Snort. Restarted Snort ….... Said it restarted......Seems to be broken......Cold boot.....same thing.....reboot.......Nothing.......Broken. GUI shows it as stopped.
After turning Auto updates off and manually updating signatures everything seems to be up and running again.
-
Same issues here. Also, pfsense wasn't remembering my rule changes across updates, meaning that I can't use it in a commercial setting right now. Without the rule hysteresis, all the policy blocks are back on after each update.
-
I have an issue with Snort Blocking the newly acquired WAN IP address.
It happens a few times lately when my power supply failed on a DSL modem.I have to go to the snort Blocked and remove the WAN IP from the list and things run smoothly. I sit beside the modem so it's not a big deal. ;) However is the modem was 2 miles away …. :'(
Disconnecting from the Web Interface does not reproduce this problem, it seems it only happens when the Ethernet port goes off/online.
Maybe when Snort restart, it could/should remove the WAN IP from the Blocked list.2013-01-19 14:09:29 Local0.Info 172.24.42.254 pf: 00:00:13.621331 rule 2/0(match): block out on lo0: (tos 0x0, ttl 127, id 20117, offset 0, flags [DF], proto TCP (6), length 40) 2013-01-19 14:09:29 Local0.Info 172.24.42.254 pf: 172.24.48.32.18447 > 124.182.236.55.59795: Flags [R.], cksum 0x4170 (correct), seq 4, ack 1, win 0, length 0 2013-01-19 14:09:31 Local0.Info 172.24.42.254 pf: 00:00:02.499712 rule 2/0(match): block out on lo0: (tos 0x0, ttl 127, id 14494, offset 0, flags [DF], proto TCP (6), length 73) 2013-01-19 14:09:31 Local0.Info 172.24.42.254 pf: 172.24.48.84.52634 > 98.139.218.251.993: Flags [P.], cksum 0x2926 (correct), ack 1, win 16708, length 33 2013-01-19 14:09:34 Local0.Info 172.24.42.254 pf: 00:00:02.572018 rule 2/0(match): block out on lo0: (tos 0x0, ttl 127, id 20164, offset 0, flags [DF], proto TCP (6), length 52) 2013-01-19 14:09:34 Local0.Info 172.24.42.254 pf: 172.24.48.32.18447 > 77.11.235.51.59819: Flags [F.], cksum 0x074e (correct), seq 4, ack 1, win 257, options [nop,nop,TS val 90214240 ecr 144955388], length 0 2013-01-19 14:09:36 Daemon.Info 172.24.42.254 ppp: [wan_link0] PPPoE connection timeout after 9 seconds 2013-01-19 14:09:36 Daemon.Info 172.24.42.254 ppp: [wan_link0] Link: DOWN event 2013-01-19 14:09:36 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: Down event 2013-01-19 14:09:36 Daemon.Info 172.24.42.254 ppp: [wan_link0] Link: reconnection attempt 12 in 4 seconds 2013-01-19 14:09:37 Local0.Info 172.24.42.254 pf: 00:00:03.459512 rule 2/0(match): block out on lo0: (tos 0x0, ttl 127, id 20195, offset 0, flags [DF], proto TCP (6), length 40) 2013-01-19 14:09:37 Local0.Info 172.24.42.254 pf: 172.24.48.32.18447 > 203.26.236.151.21598: Flags [R.], cksum 0x969f (correct), seq 4, ack 1, win 0, length 0 2013-01-19 14:09:40 Local0.Info 172.24.42.254 pf: 00:00:02.691438 rule 2/0(match): block out on lo0: (tos 0x0, ttl 127, id 20215, offset 0, flags [DF], proto TCP (6), length 40) 2013-01-19 14:09:40 Local0.Info 172.24.42.254 pf: 172.24.48.32.18447 > 175.156.246.70.46238: Flags [R.], cksum 0xdb07 (correct), seq 5, ack 1, win 0, length 0 2013-01-19 14:09:40 Daemon.Info 172.24.42.254 ppp: [wan_link0] Link: reconnection attempt 12 2013-01-19 14:09:40 Daemon.Info 172.24.42.254 ppp: [wan_link0] PPPoE: Connecting to '' 2013-01-19 14:09:46 Local0.Info 172.24.42.254 pf: 00:00:06.441514 rule 2/0(match): block out on lo0: (tos 0x0, ttl 127, id 20277, offset 0, flags [DF], proto TCP (6), length 40) 2013-01-19 14:09:46 Local0.Info 172.24.42.254 pf: 172.24.48.32.18447 > 66.91.229.251.62047: Flags [R.], cksum 0x3819 (correct), seq 5, ack 1, win 0, length 0 2013-01-19 14:09:47 User.Notice 172.24.42.254 check_reload_status: Linkup starting fxp0 2013-01-19 14:09:47 Kernel.Notice 172.24.42.254 kernel: fxp0: link state changed to UP 2013-01-19 14:09:48 Local0.Info 172.24.42.254 pf: 00:00:01.765544 rule 2/0(match): block out on lo0: (tos 0x0, ttl 127, id 20300, offset 0, flags [DF], proto TCP (6), length 40) 2013-01-19 14:09:48 Local0.Info 172.24.42.254 pf: 172.24.48.32.18447 > 77.11.235.51.59819: Flags [R.], cksum 0xb6c2 (correct), seq 5, ack 1, win 0, length 0 2013-01-19 14:09:49 Daemon.Info 172.24.42.254 ppp: [wan_link0] PPPoE connection timeout after 9 seconds 2013-01-19 14:09:49 Daemon.Info 172.24.42.254 ppp: [wan_link0] Link: DOWN event 2013-01-19 14:09:49 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: Down event 2013-01-19 14:09:49 Daemon.Info 172.24.42.254 ppp: [wan_link0] Link: reconnection attempt 13 in 4 seconds 2013-01-19 14:09:51 Local0.Info 172.24.42.254 pf: 00:00:02.758237 rule 2/0(match): block out on lo0: (tos 0x0, ttl 127, id 20332, offset 0, flags [DF], proto TCP (6), length 40) 2013-01-19 14:09:51 Local0.Info 172.24.42.254 pf: 172.24.48.32.18447 > 89.95.29.148.4268: Flags [F.], cksum 0x4cd0 (correct), seq 4, ack 1, win 259, length 0 2013-01-19 14:09:53 Daemon.Warning 172.24.42.254 miniupnpd[14851]: NewLeaseDuration=1800 not supported, ignored. (ip=172.24.48.32, desc='Tixati_v1.92_UDP_port') 2013-01-19 14:09:53 Daemon.Info 172.24.42.254 ppp: [wan_link0] Link: reconnection attempt 13 2013-01-19 14:09:53 Daemon.Info 172.24.42.254 ppp: [wan_link0] PPPoE: Connecting to '' 2013-01-19 14:09:54 Local0.Info 172.24.42.254 pf: 00:00:02.883816 rule 2/0(match): block out on lo0: (tos 0x0, ttl 127, id 20363, offset 0, flags [DF], proto TCP (6), length 56) 2013-01-19 14:09:54 Local0.Info 172.24.42.254 pf: 172.24.48.32.18447 > 41.137.25.48.41291: Flags [FP.], cksum 0x61ff (correct), seq 4:8, ack 1, win 255, options [nop,nop,TS val 90216240 ecr 63314], length 4 2013-01-19 14:09:56 Local0.Info 172.24.42.254 pf: 00:00:02.108175 rule 2/0(match): block out on lo0: (tos 0x0, ttl 127, id 20380, offset 0, flags [DF], proto TCP (6), length 1462) 2013-01-19 14:09:56 Local0.Info 172.24.42.254 pf: 172.24.48.32.18447 > 46.120.53.241.54008: Flags [P.], ack 1, win 64765, length 1422 2013-01-19 14:10:00 Cron.Info 172.24.42.254 /usr/sbin/cron[5741]: (root) CMD (/usr/bin/nice -n20 /usr/local/bin/php -f /usr/local/pkg/snort/snort_check_cron_misc.inc) 2013-01-19 14:10:02 Daemon.Info 172.24.42.254 ppp: [wan_link0] PPPoE connection timeout after 9 seconds 2013-01-19 14:10:02 Daemon.Info 172.24.42.254 ppp: [wan_link0] Link: DOWN event 2013-01-19 14:10:02 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: Down event 2013-01-19 14:10:02 Daemon.Info 172.24.42.254 ppp: [wan_link0] Link: reconnection attempt 14 in 2 seconds 2013-01-19 14:10:04 Daemon.Info 172.24.42.254 ppp: [wan_link0] Link: reconnection attempt 14 2013-01-19 14:10:04 Daemon.Info 172.24.42.254 ppp: [wan_link0] PPPoE: Connecting to '' 2013-01-19 14:10:06 Local0.Info 172.24.42.254 pf: 00:00:10.480453 rule 2/0(match): block out on lo0: (tos 0x0, ttl 127, id 20475, offset 0, flags [DF], proto TCP (6), length 1046) 2013-01-19 14:10:06 Local0.Info 172.24.42.254 pf: 172.24.48.32.18447 > 94.193.250.50.65321: Flags [FP.], seq 0:1006, ack 1, win 258, length 1006 2013-01-19 14:10:10 Local0.Info 172.24.42.254 pf: 00:00:03.609422 rule 2/0(match): block out on lo0: (tos 0x0, ttl 127, id 20506, offset 0, flags [DF], proto TCP (6), length 40) 2013-01-19 14:10:10 Local0.Info 172.24.42.254 pf: 172.24.48.32.18447 > 41.137.25.48.41291: Flags [R.], cksum 0x2ffd (correct), seq 9, ack 1, win 0, length 0 2013-01-19 14:10:14 Daemon.Info 172.24.42.254 ppp: [wan_link0] PPPoE connection timeout after 9 seconds 2013-01-19 14:10:14 Daemon.Info 172.24.42.254 ppp: [wan_link0] Link: DOWN event 2013-01-19 14:10:14 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: Down event 2013-01-19 14:10:14 Daemon.Info 172.24.42.254 ppp: [wan_link0] Link: reconnection attempt 15 in 3 seconds 2013-01-19 14:10:14 Local0.Info 172.24.42.254 pf: 00:00:04.430282 rule 2/0(match): block out on lo0: (tos 0x0, ttl 127, id 14780, offset 0, flags [DF], proto TCP (6), length 40) 2013-01-19 14:10:14 Local0.Info 172.24.42.254 pf: 172.24.48.84.52634 > 98.139.218.251.993: Flags [R.], cksum 0x5bc6 (correct), seq 33, ack 1, win 0, length 0 2013-01-19 14:10:15 User.Notice 172.24.42.254 check_reload_status: Linkup starting fxp0 2013-01-19 14:10:15 Kernel.Notice 172.24.42.254 kernel: fxp0: link state changed to DOWN 2013-01-19 14:10:15 Local0.Info 172.24.42.254 pf: 00:00:00.339215 rule 2/0(match): block out on lo0: (tos 0x0, ttl 127, id 20541, offset 0, flags [DF], proto TCP (6), length 40) 2013-01-19 14:10:15 Local0.Info 172.24.42.254 pf: 172.24.48.32.18447 > 89.95.29.148.4268: Flags [R.], cksum 0x4dcf (correct), seq 5, ack 1, win 0, length 0 2013-01-19 14:10:17 Daemon.Info 172.24.42.254 ppp: [wan_link0] Link: reconnection attempt 15 2013-01-19 14:10:17 Daemon.Info 172.24.42.254 ppp: [wan_link0] PPPoE: Connecting to '' 2013-01-19 14:10:17 User.Notice 172.24.42.254 check_reload_status: Linkup starting fxp0 2013-01-19 14:10:17 Kernel.Notice 172.24.42.254 kernel: fxp0: link state changed to UP 2013-01-19 14:10:26 Daemon.Info 172.24.42.254 ppp: [wan_link0] PPPoE connection timeout after 9 seconds 2013-01-19 14:10:26 Daemon.Info 172.24.42.254 ppp: [wan_link0] Link: DOWN event 2013-01-19 14:10:26 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: Down event 2013-01-19 14:10:26 Daemon.Info 172.24.42.254 ppp: [wan_link0] Link: reconnection attempt 16 in 3 seconds 2013-01-19 14:10:29 Daemon.Info 172.24.42.254 ppp: [wan_link0] Link: reconnection attempt 16 2013-01-19 14:10:29 Daemon.Info 172.24.42.254 ppp: [wan_link0] PPPoE: Connecting to '' 2013-01-19 14:10:38 Daemon.Info 172.24.42.254 ppp: [wan_link0] PPPoE connection timeout after 9 seconds 2013-01-19 14:10:38 Daemon.Info 172.24.42.254 ppp: [wan_link0] Link: DOWN event 2013-01-19 14:10:38 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: Down event 2013-01-19 14:10:38 Daemon.Info 172.24.42.254 ppp: [wan_link0] Link: reconnection attempt 17 in 2 seconds 2013-01-19 14:10:40 Daemon.Info 172.24.42.254 ppp: [wan_link0] Link: reconnection attempt 17 2013-01-19 14:10:40 Daemon.Info 172.24.42.254 ppp: [wan_link0] PPPoE: Connecting to '' 2013-01-19 14:10:42 Daemon.Info 172.24.42.254 ppp: PPPoE: rec'd ACNAME "bas10-montreal02" 2013-01-19 14:10:42 Daemon.Info 172.24.42.254 ppp: [wan_link0] PPPoE: connection successful 2013-01-19 14:10:42 Daemon.Info 172.24.42.254 ppp: [wan_link0] Link: UP event 2013-01-19 14:10:42 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: Up event 2013-01-19 14:10:42 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: state change Starting --> Req-Sent 2013-01-19 14:10:42 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: SendConfigReq #12 2013-01-19 14:10:42 Daemon.Info 172.24.42.254 ppp: [wan_link0] PROTOCOMP 2013-01-19 14:10:42 Daemon.Info 172.24.42.254 ppp: [wan_link0] MRU 1492 2013-01-19 14:10:42 Daemon.Info 172.24.42.254 ppp: [wan_link0] MAGICNUM 2d14526c 2013-01-19 14:10:42 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: rec'd Configure Request #10 (Req-Sent) 2013-01-19 14:10:42 Daemon.Info 172.24.42.254 ppp: [wan_link0] MRU 1492 2013-01-19 14:10:42 Daemon.Info 172.24.42.254 ppp: [wan_link0] AUTHPROTO PAP 2013-01-19 14:10:42 Daemon.Info 172.24.42.254 ppp: [wan_link0] MAGICNUM 38452021 2013-01-19 14:10:42 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: SendConfigAck #10 2013-01-19 14:10:42 Daemon.Info 172.24.42.254 ppp: [wan_link0] MRU 1492 2013-01-19 14:10:42 Daemon.Info 172.24.42.254 ppp: [wan_link0] AUTHPROTO PAP 2013-01-19 14:10:42 Daemon.Info 172.24.42.254 ppp: [wan_link0] MAGICNUM 38452021 2013-01-19 14:10:42 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: state change Req-Sent --> Ack-Sent 2013-01-19 14:10:42 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: rec'd Configure Ack #12 (Ack-Sent) 2013-01-19 14:10:42 Daemon.Info 172.24.42.254 ppp: [wan_link0] PROTOCOMP 2013-01-19 14:10:42 Daemon.Info 172.24.42.254 ppp: [wan_link0] MRU 1492 2013-01-19 14:10:42 Daemon.Info 172.24.42.254 ppp: [wan_link0] MAGICNUM 2d14526c 2013-01-19 14:10:42 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: state change Ack-Sent --> Opened 2013-01-19 14:10:42 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: auth: peer wants PAP, I want nothing 2013-01-19 14:10:42 Daemon.Info 172.24.42.254 ppp: [wan_link0] PAP: using authname "xxxxxx@yyyyyyy.zzz" 2013-01-19 14:10:42 Daemon.Info 172.24.42.254 ppp: [wan_link0] PAP: sending REQUEST #1 len: 31 2013-01-19 14:10:42 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: LayerUp 2013-01-19 14:10:42 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: rec'd Configure Request #1 (Opened) 2013-01-19 14:10:42 Daemon.Info 172.24.42.254 ppp: [wan_link0] MRU 1462 2013-01-19 14:10:42 Daemon.Info 172.24.42.254 ppp: [wan_link0] AUTHPROTO PAP 2013-01-19 14:10:42 Daemon.Info 172.24.42.254 ppp: [wan_link0] MAGICNUM 38452021 2013-01-19 14:10:42 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: LayerDown 2013-01-19 14:10:42 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: SendConfigReq #13 2013-01-19 14:10:42 Daemon.Info 172.24.42.254 ppp: [wan_link0] PROTOCOMP 2013-01-19 14:10:42 Daemon.Info 172.24.42.254 ppp: [wan_link0] MRU 1492 2013-01-19 14:10:42 Daemon.Info 172.24.42.254 ppp: [wan_link0] MAGICNUM 2d14526c 2013-01-19 14:10:42 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: SendConfigAck #1 2013-01-19 14:10:42 Daemon.Info 172.24.42.254 ppp: [wan_link0] MRU 1462 2013-01-19 14:10:42 Daemon.Info 172.24.42.254 ppp: [wan_link0] AUTHPROTO PAP 2013-01-19 14:10:42 Daemon.Info 172.24.42.254 ppp: [wan_link0] MAGICNUM 38452021 2013-01-19 14:10:42 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: state change Opened --> Ack-Sent 2013-01-19 14:10:42 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: rec'd Configure Ack #13 (Ack-Sent) 2013-01-19 14:10:42 Daemon.Info 172.24.42.254 ppp: [wan_link0] PROTOCOMP 2013-01-19 14:10:42 Daemon.Info 172.24.42.254 ppp: [wan_link0] MRU 1492 2013-01-19 14:10:42 Daemon.Info 172.24.42.254 ppp: [wan_link0] MAGICNUM 2d14526c 2013-01-19 14:10:42 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: state change Ack-Sent --> Opened 2013-01-19 14:10:42 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: auth: peer wants PAP, I want nothing 2013-01-19 14:10:42 Daemon.Info 172.24.42.254 ppp: [wan_link0] PAP: using authname "xxxxx@yyyyyyy.zzz" 2013-01-19 14:10:42 Daemon.Info 172.24.42.254 ppp: [wan_link0] PAP: sending REQUEST #1 len: 31 2013-01-19 14:10:42 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: LayerUp 2013-01-19 14:10:42 Daemon.Info 172.24.42.254 ppp: [wan_link0] PAP: rec'd ACK #1 len: 5 2013-01-19 14:10:42 Daemon.Info 172.24.42.254 ppp: [wan_link0] LCP: authorization successful 2013-01-19 14:10:42 Daemon.Info 172.24.42.254 ppp: [wan_link0] Link: Matched action 'bundle "wan" ""' 2013-01-19 14:10:42 Daemon.Info 172.24.42.254 ppp: [wan_link0] Link: Join bundle "wan" 2013-01-19 14:10:42 Daemon.Info 172.24.42.254 ppp: [wan] Bundle: Status update: up 1 link, total bandwidth 64000 bps 2013-01-19 14:10:42 Daemon.Info 172.24.42.254 ppp: [wan] IPCP: Open event 2013-01-19 14:10:42 Daemon.Info 172.24.42.254 ppp: [wan] IPCP: state change Initial --> Starting 2013-01-19 14:10:42 Daemon.Info 172.24.42.254 ppp: [wan] IPCP: LayerStart 2013-01-19 14:10:42 Daemon.Info 172.24.42.254 ppp: [wan] IPCP: Up event 2013-01-19 14:10:42 Daemon.Info 172.24.42.254 ppp: [wan] IPCP: state change Starting --> Req-Sent 2013-01-19 14:10:42 Daemon.Info 172.24.42.254 ppp: [wan] IPCP: SendConfigReq #13 2013-01-19 14:10:42 Daemon.Info 172.24.42.254 ppp: [wan] IPADDR 0.0.0.0 2013-01-19 14:10:42 Daemon.Info 172.24.42.254 ppp: [wan] COMPPROTO VJCOMP, 16 comp. channels, no comp-cid 2013-01-19 14:10:42 Daemon.Info 172.24.42.254 ppp: [wan] PRIDNS 0.0.0.0 2013-01-19 14:10:42 Daemon.Info 172.24.42.254 ppp: [wan] SECDNS 0.0.0.0 2013-01-19 14:10:42 Daemon.Info 172.24.42.254 ppp: [wan] IPCP: rec'd Configure Request #6 (Req-Sent) 2013-01-19 14:10:42 Daemon.Info 172.24.42.254 ppp: [wan] IPADDR 10.250.0.9 2013-01-19 14:10:42 Daemon.Info 172.24.42.254 ppp: [wan] 10.250.0.9 is OK 2013-01-19 14:10:42 Daemon.Info 172.24.42.254 ppp: [wan] IPCP: SendConfigAck #6 2013-01-19 14:10:42 Daemon.Info 172.24.42.254 ppp: [wan] IPADDR 10.250.0.9 2013-01-19 14:10:42 Daemon.Info 172.24.42.254 ppp: [wan] IPCP: state change Req-Sent --> Ack-Sent 2013-01-19 14:10:42 Daemon.Info 172.24.42.254 ppp: [wan] IPCP: rec'd Configure Reject #13 (Ack-Sent) 2013-01-19 14:10:42 Daemon.Info 172.24.42.254 ppp: [wan] COMPPROTO VJCOMP, 16 comp. channels, no comp-cid 2013-01-19 14:10:42 Daemon.Info 172.24.42.254 ppp: [wan] IPCP: SendConfigReq #14 2013-01-19 14:10:42 Daemon.Info 172.24.42.254 ppp: [wan] IPADDR 0.0.0.0 2013-01-19 14:10:42 Daemon.Info 172.24.42.254 ppp: [wan] PRIDNS 0.0.0.0 2013-01-19 14:10:42 Daemon.Info 172.24.42.254 ppp: [wan] SECDNS 0.0.0.0 2013-01-19 14:10:42 Daemon.Info 172.24.42.254 ppp: [wan] IPCP: rec'd Configure Nak #14 (Ack-Sent) 2013-01-19 14:10:42 Daemon.Info 172.24.42.254 ppp: [wan] IPADDR 199.192.238.25 2013-01-19 14:10:42 Daemon.Info 172.24.42.254 ppp: [wan] 199.192.238.25 is OK 2013-01-19 14:10:42 Daemon.Info 172.24.42.254 ppp: [wan] PRIDNS 10.250.0.9 2013-01-19 14:10:42 Daemon.Info 172.24.42.254 ppp: [wan] SECDNS 24.226.147.201 2013-01-19 14:10:42 Daemon.Info 172.24.42.254 ppp: [wan] IPCP: SendConfigReq #15 2013-01-19 14:10:42 Daemon.Info 172.24.42.254 ppp: [wan] IPADDR 199.192.238.25 2013-01-19 14:10:42 Daemon.Info 172.24.42.254 ppp: [wan] PRIDNS 10.250.0.9 2013-01-19 14:10:42 Daemon.Info 172.24.42.254 ppp: [wan] SECDNS 24.226.147.201 2013-01-19 14:10:42 Daemon.Info 172.24.42.254 ppp: [wan] IPCP: rec'd Configure Ack #15 (Ack-Sent) 2013-01-19 14:10:42 Daemon.Info 172.24.42.254 ppp: [wan] IPADDR 199.192.238.25 2013-01-19 14:10:42 Daemon.Info 172.24.42.254 ppp: [wan] PRIDNS 10.250.0.9 2013-01-19 14:10:42 Daemon.Info 172.24.42.254 ppp: [wan] SECDNS 24.226.147.201 2013-01-19 14:10:42 Daemon.Info 172.24.42.254 ppp: [wan] IPCP: state change Ack-Sent --> Opened 2013-01-19 14:10:42 Daemon.Info 172.24.42.254 ppp: [wan] IPCP: LayerUp 2013-01-19 14:10:42 Daemon.Info 172.24.42.254 ppp: [wan] 199.192.238.25 -> 10.250.0.9 2013-01-19 14:10:42 User.Notice 172.24.42.254 check_reload_status: Rewriting resolv.conf 2013-01-19 14:10:43 User.Notice 172.24.42.254 check_reload_status: rc.newwanip starting pppoe1 2013-01-19 14:10:43 Daemon.Info 172.24.42.254 ppp: [wan] IFACE: Up event 2013-01-19 14:10:49 User.Warning 172.24.42.254 php: : rc.newwanip: Informational is starting pppoe1. 2013-01-19 14:10:49 User.Warning 172.24.42.254 php: : rc.newwanip: on (IP address: 199.192.238.25) (interface: wan) (real interface: pppoe1). 2013-01-19 14:10:49 User.Warning 172.24.42.254 php: : ROUTING: setting default route to 10.250.0.9 2013-01-19 14:10:49 User.Error 172.24.42.254 apinger: Exiting on signal 15. 2013-01-19 14:10:50 Daemon.Info 172.24.42.254 dnsmasq[63143]: reading /etc/resolv.conf 2013-01-19 14:10:50 Daemon.Info 172.24.42.254 dnsmasq[63143]: using nameserver 24.226.147.201#53 2013-01-19 14:10:50 Daemon.Info 172.24.42.254 dnsmasq[63143]: using nameserver 10.250.0.9#53 2013-01-19 14:10:50 Daemon.Warning 172.24.42.254 dnsmasq[63143]: ignoring nameserver 127.0.0.1 - local interface 2013-01-19 14:10:50 User.Notice 172.24.42.254 check_reload_status: Reloading filter 2013-01-19 14:10:50 User.Error 172.24.42.254 apinger: Starting Alarm Pinger, apinger(40665) 2013-01-19 14:10:55 User.Warning 172.24.42.254 php: : Resyncing OpenVPN instances for interface WAN. 2013-01-19 14:10:55 User.Warning 172.24.42.254 php: : Creating rrd update script 2013-01-19 14:10:56 Daemon.Info 172.24.42.254 ntpd[22401]: Terminating 2013-01-19 14:10:56 User.Warning 172.24.42.254 php: : The command '/usr/bin/killall 'ntpd'' returned exit code '1', the output was 'killall: warning: kill -TERM 21280: No such process' 2013-01-19 14:10:56 User.Warning 172.24.42.254 php: : OpenNTPD is starting up. 2013-01-19 14:10:56 User.Warning 172.24.42.254 php: : pfSense package system has detected an ip change 96.43.229.159 -> ... Restarting packages. 2013-01-19 14:10:56 User.Notice 172.24.42.254 check_reload_status: Starting packages 2013-01-19 14:10:56 Local0.Info 172.24.42.254 pf: 00:00:41.148891 rule 2/0(match): block out on pppoe1: (tos 0x0, ttl 127, id 21101, offset 0, flags [DF], proto TCP (6), length 1462) 2013-01-19 14:10:56 Local0.Info 172.24.42.254 pf: 96.43.229.159.33901 > 46.120.53.241.54008: Flags [P.], ack 2575765534, win 64765, length 1422 2013-01-19 14:11:01 Auth.Alert 172.24.42.254 snort[8384]: [122:26:1] PSNG_ICMP_PORTSWEEP_FILTERED [Classification: Attempted Information Leak] [Priority: 2] {PROTO:255} 199.192.238.25 -> 74.125.226.41 2013-01-19 14:11:02 User.Warning 172.24.42.254 php: : Restarting/Starting all packages. 2013-01-19 14:11:10 User.Error 172.24.42.254 apinger: ALARM: WAN(10.250.0.9) *** down *** 2013-01-19 14:11:11 User.Notice 172.24.42.254 check_reload_status: Syncing firewall 2013-01-19 14:11:11 User.Notice 172.24.42.254 check_reload_status: Reloading filter 2013-01-19 14:11:11 User.Warning 172.24.42.254 php: : [pfblocker] pfblocker_xmlrpc_sync.php is starting. 2013-01-19 14:11:12 User.Notice 172.24.42.254 check_reload_status: Syncing firewall 2013-01-19 14:11:12 User.Notice 172.24.42.254 check_reload_status: Reloading filter 2013-01-19 14:11:12 User.Warning 172.24.42.254 php: : [pfblocker] pfblocker_xmlrpc_sync.php is starting. 2013-01-19 14:11:13 User.Warning 172.24.42.254 php: : [pfblocker] pfblocker_xmlrpc_sync.php is starting. 2013-01-19 14:11:13 User.Warning 172.24.42.254 php: : [pfblocker] pfblocker_xmlrpc_sync.php is starting. 2013-01-19 14:11:16 Daemon.Info 172.24.42.254 SnortStartup[53746]: Snort STOP For Wan Snort(18203_pppoe1)... 2013-01-19 14:11:17 Daemon.Error 172.24.42.254 snort[8384]: *** Caught Term-Signal 2013-01-19 14:11:17 Kernel.Info 172.24.42.254 kernel: pppoe1: promiscuous mode disabled 2013-01-19 14:11:18 Daemon.Notice 172.24.42.254 snort[8384]: =============================================================================== 2013-01-19 14:11:18 Daemon.Notice 172.24.42.254 snort[8384]: Run time for packet processing was 36881.74985 seconds 2013-01-19 14:11:18 Daemon.Notice 172.24.42.254 snort[8384]: Snort processed 6330687 packets. 2013-01-19 14:11:18 Daemon.Notice 172.24.42.254 snort[8384]: Snort ran for 0 days 10 hours 14 minutes 41 seconds 2013-01-19 14:11:18 Daemon.Notice 172.24.42.254 snort[8384]: Pkts/hr: 633068 2013-01-19 14:11:18 Daemon.Notice 172.24.42.254 snort[8384]: Pkts/min: 10310 2013-01-19 14:11:18 Daemon.Notice 172.24.42.254 snort[8384]: Pkts/sec: 171 ... 2013-01-19 14:11:18 Daemon.Error 172.24.42.254 snort[8384]: Could not remove pid file /var/run/snort_pppoe118203.pid: No such file or directory 2013-01-19 14:11:19 Daemon.Notice 172.24.42.254 snort[8384]: Snort exiting 2013-01-19 14:11:19 Daemon.Info 172.24.42.254 SnortStartup[3227]: Snort STOP For Lan(53096_bridge0)... 2013-01-19 14:11:19 Cron.Info 172.24.42.254 /usr/sbin/cron[5607]: (CRON) DEATH (cron already running, pid: 29495) 2013-01-19 14:11:20 Daemon.Notice 172.24.42.254 snort[6149]: Found pid path directive (/var/run) 2013-01-19 14:11:20 Daemon.Notice 172.24.42.254 snort[6149]: Running in IDS mode 2013-01-19 14:11:20 Daemon.Notice 172.24.42.254 snort[6149]: 2013-01-19 14:11:20 Daemon.Notice 172.24.42.254 snort[6149]: --== Initializing Snort ==-- 2013-01-19 14:11:20 Daemon.Notice 172.24.42.254 snort[6149]: Initializing Output Plugins! 2013-01-19 14:11:20 Daemon.Notice 172.24.42.254 snort[6149]: Initializing Preprocessors! 2013-01-19 14:11:20 Daemon.Notice 172.24.42.254 snort[6149]: Initializing Plug-ins! 2013-01-19 14:11:20 Daemon.Notice 172.24.42.254 snort[6149]: Parsing Rules file "/usr/local/etc/snort/snort_18203_pppoe1/snort.conf" ... 2013-01-19 14:12:11 Daemon.Notice 172.24.42.254 snort[57546]: [ Number of null byte prefixed patterns trimmed: 4690 ] 2013-01-19 14:12:11 Daemon.Notice 172.24.42.254 snort[57546]: pcap DAQ configured to passive. 2013-01-19 14:12:11 Daemon.Notice 172.24.42.254 snort[57546]: The DAQ version does not support reload. 2013-01-19 14:12:11 Daemon.Notice 172.24.42.254 snort[57546]: Acquiring network traffic from "bridge0". 2013-01-19 14:12:11 Daemon.Notice 172.24.42.254 snort[57546]: Initializing daemon mode 2013-01-19 14:12:11 Daemon.Notice 172.24.42.254 snort[21641]: Daemon initialized, signaled parent pid: 57546 2013-01-19 14:12:11 Daemon.Notice 172.24.42.254 snort[21641]: Reload thread starting... 2013-01-19 14:12:11 Daemon.Info 172.24.42.254 SnortStartup[21676]: Snort START For Lan(53096_bridge0)... 2013-01-19 14:12:11 Daemon.Notice 172.24.42.254 snort[21641]: Reload thread started, thread 0x3cff9740 (21641) 2013-01-19 14:12:11 Daemon.Notice 172.24.42.254 snort[21641]: Decoding Ethernet 2013-01-19 14:12:11 Kernel.Info 172.24.42.254 kernel: bridge0: promiscuous mode enabled 2013-01-19 14:12:11 Daemon.Notice 172.24.42.254 snort[21641]: Checking PID path... 2013-01-19 14:12:11 Daemon.Notice 172.24.42.254 snort[21641]: PID path stat checked out ok, PID path set to /var/run 2013-01-19 14:12:11 Daemon.Notice 172.24.42.254 snort[21641]: Writing PID "21641" to file "/var/run/snort_bridge053096.pid" 2013-01-19 14:12:11 Daemon.Notice 172.24.42.254 snort[21641]: 2013-01-19 14:12:11 Daemon.Notice 172.24.42.254 snort[21641]: --== Initialization Complete ==-- 2013-01-19 14:12:11 Daemon.Notice 172.24.42.254 snort[21641]: Commencing packet processing (pid=21641) 2013-01-19 14:12:25 User.Error 172.24.42.254 apinger: alarm canceled: WAN(10.250.0.9) *** down *** 2013-01-19 14:12:30 Local0.Info 172.24.42.254 pf: 00:01:34.556180 rule 65/8(ip-option): pass in on bridge0: (tos 0x0, ttl 1, id 22326, offset 0, flags [none], proto IGMP (2), length 40, options (RA)) 2013-01-19 14:12:30 Local0.Info 172.24.42.254 pf: 172.24.48.32 > 224.0.0.22: igmp v3 report, 1 group record(s) [gaddr 224.0.0.252 to_in, 0 source(s)] 2013-01-19 14:12:30 Local0.Info 172.24.42.254 pf: 00:00:00.000031 rule 65/8(ip-option): pass in on re0: (tos 0x0, ttl 1, id 22326, offset 0, flags [none], proto IGMP (2), length 40, options (RA)) 2013-01-19 14:12:30 Local0.Info 172.24.42.254 pf: 172.24.48.32 > 224.0.0.22: igmp v3 report, 1 group record(s) [gaddr 224.0.0.252 to_in, 0 source(s)] 2013-01-19 14:12:30 Local0.Info 172.24.42.254 pf: 00:00:00.035634 rule 65/8(ip-option): pass in on re0: (tos 0x0, ttl 1, id 22327, offset 0, flags [none], proto IGMP (2), length 40, options (RA)) 2013-01-19 14:12:30 Local0.Info 172.24.42.254 pf: 172.24.48.32 > 224.0.0.22: igmp v3 report, 1 group record(s) [gaddr 224.0.0.252 to_ex, 0 source(s)] 2013-01-19 14:12:30 Local0.Info 172.24.42.254 pf: 00:00:00.000032 rule 65/8(ip-option): pass in on bridge0: (tos 0x0, ttl 1, id 22327, offset 0, flags [none], proto IGMP (2), length 40, options (RA)) 2013-01-19 14:12:30 Local0.Info 172.24.42.254 pf: 172.24.48.32 > 224.0.0.22: igmp v3 report, 1 group record(s) [gaddr 224.0.0.252 to_ex, 0 source(s)] 2013-01-19 14:12:30 Local0.Info 172.24.42.254 pf: 00:00:00.000014 rule 65/8(ip-option): pass in on re0: (tos 0x0, ttl 1, id 22327, offset 0, flags [none], proto IGMP (2), length 40, options (RA)) 2013-01-19 14:12:30 Local0.Info 172.24.42.254 pf: 172.24.48.32 > 224.0.0.22: igmp v3 report, 1 group record(s) [gaddr 224.0.0.252 to_ex, 0 source(s)] 2013-01-19 14:12:30 Local0.Info 172.24.42.254 pf: 00:00:00.094243 rule 65/8(ip-option): pass in on re0: (tos 0x0, ttl 1, id 22329, offset 0, flags [none], proto IGMP (2), length 40, options (RA)) 2013-01-19 14:12:30 Local0.Info 172.24.42.254 pf: 172.24.48.32 > 224.0.0.22: igmp v3 report, 1 group record(s) [gaddr 224.0.0.252 to_ex, 0 source(s)] 2013-01-19 14:12:30 Local0.Info 172.24.42.254 pf: 00:00:00.000054 rule 65/8(ip-option): pass in on bridge0: (tos 0x0, ttl 1, id 22329, offset 0, flags [none], proto IGMP (2), length 40, options (RA)) 2013-01-19 14:12:30 Local0.Info 172.24.42.254 pf: 172.24.48.32 > 224.0.0.22: igmp v3 report, 1 group record(s) [gaddr 224.0.0.252 to_ex, 0 source(s)] 2013-01-19 14:12:30 Local0.Info 172.24.42.254 pf: 00:00:00.000014 rule 65/8(ip-option): pass in on re0: (tos 0x0, ttl 1, id 22329, offset 0, flags [none], proto IGMP (2), length 40, options (RA)) 2013-01-19 14:12:30 Local0.Info 172.24.42.254 pf: 172.24.48.32 > 224.0.0.22: igmp v3 report, 1 group record(s) [gaddr 224.0.0.252 to_ex, 0 source(s)] 2013-01-19 14:12:31 Local0.Info 172.24.42.254 pf: 00:00:00.266089 rule 65/8(ip-option): pass in on re0: (tos 0x0, ttl 1, id 22332, offset 0, flags [none], proto IGMP (2), length 40, options (RA)) 2013-01-19 14:12:31 Local0.Info 172.24.42.254 pf: 172.24.48.32 > 224.0.0.22: igmp v3 report, 1 group record(s) [gaddr 224.0.0.252 to_in, 0 source(s)] 2013-01-19 14:12:31 Local0.Info 172.24.42.254 pf: 00:00:00.000030 rule 65/8(ip-option): pass in on bridge0: (tos 0x0, ttl 1, id 22332, offset 0, flags [none], proto IGMP (2), length 40, options (RA)) 2013-01-19 14:12:31 Local0.Info 172.24.42.254 pf: 172.24.48.32 > 224.0.0.22: igmp v3 report, 1 group record(s) [gaddr 224.0.0.252 to_in, 0 source(s)] 2013-01-19 14:12:31 Local0.Info 172.24.42.254 pf: 00:00:00.000013 rule 65/8(ip-option): pass in on re0: (tos 0x0, ttl 1, id 22332, offset 0, flags [none], proto IGMP (2), length 40, options (RA)) 2013-01-19 14:12:31 Local0.Info 172.24.42.254 pf: 172.24.48.32 > 224.0.0.22: igmp v3 report, 1 group record(s) [gaddr 224.0.0.252 to_in, 0 source(s)] 2013-01-19 14:12:31 Local0.Info 172.24.42.254 pf: 00:00:00.006642 rule 65/8(ip-option): pass in on re0: (tos 0x0, ttl 1, id 22333, offset 0, flags [none], proto IGMP (2), length 40, options (RA)) 2013-01-19 14:12:31 Local0.Info 172.24.42.254 pf: 172.24.48.32 > 224.0.0.22: igmp v3 report, 1 group record(s) [gaddr 224.0.0.252 to_ex, 0 source(s)] 2013-01-19 14:12:31 Local0.Info 172.24.42.254 pf: 00:00:00.000030 rule 65/8(ip-option): pass in on bridge0: (tos 0x0, ttl 1, id 22333, offset 0, flags [none], proto IGMP (2), length 40, options (RA)) 2013-01-19 14:12:31 Local0.Info 172.24.42.254 pf: 172.24.48.32 > 224.0.0.22: igmp v3 report, 1 group record(s) [gaddr 224.0.0.252 to_ex, 0 source(s)] 2013-01-19 14:12:31 Local0.Info 172.24.42.254 pf: 00:00:00.000013 rule 65/8(ip-option): pass in on re0: (tos 0x0, ttl 1, id 22333, offset 0, flags [none], proto IGMP (2), length 40, options (RA)) 2013-01-19 14:12:31 Local0.Info 172.24.42.254 pf: 172.24.48.32 > 224.0.0.22: igmp v3 report, 1 group record(s) [gaddr 224.0.0.252 to_ex, 0 source(s)] 2013-01-19 14:12:31 Local0.Info 172.24.42.254 pf: 00:00:00.227067 rule 65/8(ip-option): pass in on re0: (tos 0x0, ttl 1, id 22342, offset 0, flags [none], proto IGMP (2), length 40, options (RA)) 2013-01-19 14:12:31 Local0.Info 172.24.42.254 pf: 172.24.48.32 > 224.0.0.22: igmp v3 report, 1 group record(s) [gaddr 224.0.0.252 to_ex, 0 source(s)] 2013-01-19 14:12:31 Local0.Info 172.24.42.254 pf: 00:00:00.000035 rule 65/8(ip-option): pass in on bridge0: (tos 0x0, ttl 1, id 22342, offset 0, flags [none], proto IGMP (2), length 40, options (RA)) 2013-01-19 14:12:31 Local0.Info 172.24.42.254 pf: 172.24.48.32 > 224.0.0.22: igmp v3 report, 1 group record(s) [gaddr 224.0.0.252 to_ex, 0 source(s)] 2013-01-19 14:12:31 Local0.Info 172.24.42.254 pf: 00:00:00.000014 rule 65/8(ip-option): pass in on re0: (tos 0x0, ttl 1, id 22342, offset 0, flags [none], proto IGMP (2), length 40, options (RA)) 2013-01-19 14:12:31 Local0.Info 172.24.42.254 pf: 172.24.48.32 > 224.0.0.22: igmp v3 report, 1 group record(s) [gaddr 224.0.0.252 to_ex, 0 source(s)] 2013-01-19 14:12:35 User.Notice 172.24.42.254 check_reload_status: Reloading filter 2013-01-19 14:12:49 Local0.Info 172.24.42.254 pf: 00:00:18.115624 rule 2/0(match): block out on pppoe1: (tos 0x0, ttl 127, id 16408, offset 0, flags [DF], proto TCP (6), length 73) 2013-01-19 14:12:49 Local0.Info 172.24.42.254 pf: 199.192.238.25.2030 > 74.125.142.108.993: Flags [P.], cksum 0xb513 (correct), ack 3477012993, win 16646, length 33 2013-01-19 14:12:49 Local0.Info 172.24.42.254 pf: 00:00:00.000652 rule 65/8(ip-option): pass in on bridge0: (tos 0x0, ttl 1, id 16409, offset 0, flags [none], proto IGMP (2), length 40, options (RA)) 2013-01-19 14:12:49 Local0.Info 172.24.42.254 pf: 172.24.48.84 > 224.0.0.22: igmp v3 report, 1 group record(s) [gaddr 224.0.0.252 to_in, 0 source(s)] 2013-01-19 14:12:49 Local0.Info 172.24.42.254 pf: 00:00:00.000086 rule 65/8(ip-option): pass in on re0: (tos 0x0, ttl 1, id 16409, offset 0, flags [none], proto IGMP (2), length 40, options (RA)) 2013-01-19 14:12:49 Local0.Info 172.24.42.254 pf: 172.24.48.84 > 224.0.0.22: igmp v3 report, 1 group record(s) [gaddr 224.0.0.252 to_in, 0 source(s)] 2013-01-19 14:12:49 Local0.Info 172.24.42.254 pf: 00:00:00.002810 rule 65/8(ip-option): pass in on re0: (tos 0x0, ttl 1, id 16411, offset 0, flags [none], proto IGMP (2), length 40, options (RA)) 2013-01-19 14:12:49 Local0.Info 172.24.42.254 pf: 172.24.48.84 > 224.0.0.22: igmp v3 report, 1 group record(s) [gaddr 224.0.0.252 to_ex, 0 source(s)] 2013-01-19 14:12:49 Local0.Info 172.24.42.254 pf: 00:00:00.000030 rule 65/8(ip-option): pass in on bridge0: (tos 0x0, ttl 1, id 16411, offset 0, flags [none], proto IGMP (2), length 40, options (RA)) 2013-01-19 14:12:49 Local0.Info 172.24.42.254 pf: 172.24.48.84 > 224.0.0.22: igmp v3 report, 1 group record(s) [gaddr 224.0.0.252 to_ex, 0 source(s)] 2013-01-19 14:12:49 Local0.Info 172.24.42.254 pf: 00:00:00.000014 rule 65/8(ip-option): pass in on re0: (tos 0x0, ttl 1, id 16411, offset 0, flags [none], proto IGMP (2), length 40, options (RA)) 2013-01-19 14:12:49 Local0.Info 172.24.42.254 pf: 172.24.48.84 > 224.0.0.22: igmp v3 report, 1 group record(s) [gaddr 224.0.0.252 to_ex, 0 source(s)] 2013-01-19 14:12:49 Local0.Info 172.24.42.254 pf: 00:00:00.064198 rule 65/8(ip-option): pass in on re0: (tos 0x0, ttl 1, id 16466, offset 0, flags [none], proto IGMP (2), length 40, options (RA)) 2013-01-19 14:12:49 Local0.Info 172.24.42.254 pf: 172.24.48.84 > 224.0.0.22: igmp v3 report, 1 group record(s) [gaddr 224.0.0.253 to_ex, 0 source(s)] 2013-01-19 14:12:49 Local0.Info 172.24.42.254 pf: 00:00:00.000069 rule 65/8(ip-option): pass in on bridge0: (tos 0x0, ttl 1, id 16466, offset 0, flags [none], proto IGMP (2), length 40, options (RA)) 2013-01-19 14:12:49 Local0.Info 172.24.42.254 pf: 172.24.48.84 > 224.0.0.22: igmp v3 report, 1 group record(s) [gaddr 224.0.0.253 to_ex, 0 source(s)] 2013-01-19 14:12:49 Local0.Info 172.24.42.254 pf: 00:00:00.000016 rule 65/8(ip-option): pass in on re0: (tos 0x0, ttl 1, id 16466, offset 0, flags [none], proto IGMP (2), length 40, options (RA)) 2013-01-19 14:12:49 Local0.Info 172.24.42.254 pf: 172.24.48.84 > 224.0.0.22: igmp v3 report, 1 group record(s) [gaddr 224.0.0.253 to_ex, 0 source(s)] 2013-01-19 14:12:49 Local0.Info 172.24.42.254 pf: 00:00:00.236779 rule 65/8(ip-option): pass in on re0: (tos 0x0, ttl 1, id 16514, offset 0, flags [none], proto IGMP (2), length 40, options (RA)) 2013-01-19 14:12:49 Local0.Info 172.24.42.254 pf: 172.24.48.84 > 224.0.0.22: igmp v3 report, 1 group record(s) [gaddr 224.0.0.252 to_in, 0 source(s)] 2013-01-19 14:12:49 Local0.Info 172.24.42.254 pf: 00:00:00.000096 rule 65/8(ip-option): pass in on bridge0: (tos 0x0, ttl 1, id 16514, offset 0, flags [none], proto IGMP (2), length 40, options (RA)) 2013-01-19 14:12:49 Local0.Info 172.24.42.254 pf: 172.24.48.84 > 224.0.0.22: igmp v3 report, 1 group record(s) [gaddr 224.0.0.252 to_in, 0 source(s)] 2013-01-19 14:12:49 Local0.Info 172.24.42.254 pf: 00:00:00.000015 rule 65/8(ip-option): pass in on re0: (tos 0x0, ttl 1, id 16514, offset 0, flags [none], proto IGMP (2), length 40, options (RA)) 2013-01-19 14:12:49 Local0.Info 172.24.42.254 pf: 172.24.48.84 > 224.0.0.22: igmp v3 report, 1 group record(s) [gaddr 224.0.0.252 to_in, 0 source(s)] 2013-01-19 14:12:49 Local0.Info 172.24.42.254 pf: 00:00:00.000545 rule 65/8(ip-option): pass in on re0: (tos 0x0, ttl 1, id 16515, offset 0, flags [none], proto IGMP (2), length 40, options (RA)) 2013-01-19 14:12:49 Local0.Info 172.24.42.254 pf: 172.24.48.84 > 224.0.0.22: igmp v3 report, 1 group record(s) [gaddr 224.0.0.252 to_ex, 0 source(s)] 2013-01-19 14:12:49 Local0.Info 172.24.42.254 pf: 00:00:00.000028 rule 65/8(ip-option): pass in on bridge0: (tos 0x0, ttl 1, id 16515, offset 0, flags [none], proto IGMP (2), length 40, options (RA)) 2013-01-19 14:12:49 Local0.Info 172.24.42.254 pf: 172.24.48.84 > 224.0.0.22: igmp v3 report, 1 group record(s) [gaddr 224.0.0.252 to_ex, 0 source(s)] 2013-01-19 14:12:49 Local0.Info 172.24.42.254 pf: 00:00:00.000014 rule 65/8(ip-option): pass in on re0: (tos 0x0, ttl 1, id 16515, offset 0, flags [none], proto IGMP (2), length 40, options (RA)) 2013-01-19 14:12:49 Local0.Info 172.24.42.254 pf: 172.24.48.84 > 224.0.0.22: igmp v3 report, 1 group record(s) [gaddr 224.0.0.252 to_ex, 0 source(s)] 2013-01-19 14:12:49 Local0.Info 172.24.42.254 pf: 00:00:00.122940 rule 65/8(ip-option): pass in on re0: (tos 0x0, ttl 1, id 16539, offset 0, flags [none], proto IGMP (2), length 48, options (RA)) 2013-01-19 14:12:49 Local0.Info 172.24.42.254 pf: 172.24.48.84 > 224.0.0.22: igmp v3 report, 2 group record(s) [gaddr 224.0.0.253 to_ex, 0 source(s)] [gaddr 224.0.0.252 to_ex, 0 source(s)] 2013-01-19 14:12:49 Local0.Info 172.24.42.254 pf: 00:00:00.000030 rule 65/8(ip-option): pass in on bridge0: (tos 0x0, ttl 1, id 16539, offset 0, flags [none], proto IGMP (2), length 48, options (RA)) 2013-01-19 14:12:49 Local0.Info 172.24.42.254 pf: 172.24.48.84 > 224.0.0.22: igmp v3 report, 2 group record(s) [gaddr 224.0.0.253 to_ex, 0 source(s)] [gaddr 224.0.0.252 to_ex, 0 source(s)] 2013-01-19 14:12:49 Local0.Info 172.24.42.254 pf: 00:00:00.000013 rule 65/8(ip-option): pass in on re0: (tos 0x0, ttl 1, id 16539, offset 0, flags [none], proto IGMP (2), length 48, options (RA)) 2013-01-19 14:12:49 Local0.Info 172.24.42.254 pf: 172.24.48.84 > 224.0.0.22: igmp v3 report, 2 group record(s) [gaddr 224.0.0.253 to_ex, 0 source(s)] [gaddr 224.0.0.252 to_ex, 0 source(s)] 2013-01-19 14:12:50 User.Error 172.24.42.254 apinger: /usr/local/bin/rrdtool respawning too fast, waiting 300s. 2013-01-19 14:12:50 Local0.Info 172.24.42.254 pf: 00:00:00.176181 rule 65/8(ip-option): pass in on re0: (tos 0x0, ttl 1, id 16549, offset 0, flags [none], proto IGMP (2), length 40, options (RA)) 2013-01-19 14:12:50 Local0.Info 172.24.42.254 pf: 172.24.48.84 > 224.0.0.22: igmp v3 report, 1 group record(s) [gaddr 224.0.0.252 to_in, 0 source(s)] 2013-01-19 14:12:50 Local0.Info 172.24.42.254 pf: 00:00:00.000034 rule 65/8(ip-option): pass in on bridge0: (tos 0x0, ttl 1, id 16549, offset 0, flags [none], proto IGMP (2), length 40, options (RA)) 2013-01-19 14:12:50 Local0.Info 172.24.42.254 pf: 172.24.48.84 > 224.0.0.22: igmp v3 report, 1 group record(s) [gaddr 224.0.0.252 to_in, 0 source(s)] 2013-01-19 14:12:50 Local0.Info 172.24.42.254 pf: 00:00:00.000010 rule 65/8(ip-option): pass in on re0: (tos 0x0, ttl 1, id 16549, offset 0, flags [none], proto IGMP (2), length 40, options (RA)) 2013-01-19 14:12:50 Local0.Info 172.24.42.254 pf: 172.24.48.84 > 224.0.0.22: igmp v3 report, 1 group record(s) [gaddr 224.0.0.252 to_in, 0 source(s)] 2013-01-19 14:12:50 Local0.Info 172.24.42.254 pf: 00:00:00.000081 rule 65/8(ip-option): pass in on re0: (tos 0x0, ttl 1, id 16550, offset 0, flags [none], proto IGMP (2), length 40, options (RA)) 2013-01-19 14:12:50 Local0.Info 172.24.42.254 pf: 172.24.48.84 > 224.0.0.22: igmp v3 report, 1 group record(s) [gaddr 224.0.0.252 to_ex, 0 source(s)] 2013-01-19 14:12:50 Local0.Info 172.24.42.254 pf: 00:00:00.000067 rule 65/8(ip-option): pass in on bridge0: (tos 0x0, ttl 1, id 16550, offset 0, flags [none], proto IGMP (2), length 40, options (RA)) 2013-01-19 14:12:50 Local0.Info 172.24.42.254 pf: 172.24.48.84 > 224.0.0.22: igmp v3 report, 1 group record(s) [gaddr 224.0.0.252 to_ex, 0 source(s)] 2013-01-19 14:12:50 Local0.Info 172.24.42.254 pf: 00:00:00.000013 rule 65/8(ip-option): pass in on re0: (tos 0x0, ttl 1, id 16550, offset 0, flags [none], proto IGMP (2), length 40, options (RA)) 2013-01-19 14:12:50 Local0.Info 172.24.42.254 pf: 172.24.48.84 > 224.0.0.22: igmp v3 report, 1 group record(s) [gaddr 224.0.0.252 to_ex, 0 source(s)] 2013-01-19 14:12:50 Local0.Info 172.24.42.254 pf: 00:00:00.259698 rule 2/0(match): block out on pppoe1: (tos 0x0, ttl 127, id 16557, offset 0, flags [DF], proto TCP (6), length 73) 2013-01-19 14:12:50 Local0.Info 172.24.42.254 pf: 199.192.238.25.42360 > 74.125.142.108.993: Flags [P.], cksum 0x1789 (correct), ack 3477012993, win 16646, length 33 2013-01-19 14:12:50 Local0.Info 172.24.42.254 pf: 00:00:00.063863 rule 65/8(ip-option): pass in on re0: (tos 0x0, ttl 1, id 16560, offset 0, flags [none], proto IGMP (2), length 40, options (RA)) 2013-01-19 14:12:50 Local0.Info 172.24.42.254 pf: 172.24.48.84 > 224.0.0.22: igmp v3 report, 1 group record(s) [gaddr 224.0.0.252 to_ex, 0 source(s)] 2013-01-19 14:12:50 Local0.Info 172.24.42.254 pf: 00:00:00.000055 rule 65/8(ip-option): pass in on bridge0: (tos 0x0, ttl 1, id 16560, offset 0, flags [none], proto IGMP (2), length 40, options (RA)) 2013-01-19 14:12:50 Local0.Info 172.24.42.254 pf: 172.24.48.84 > 224.0.0.22: igmp v3 report, 1 group record(s) [gaddr 224.0.0.252 to_ex, 0 source(s)] 2013-01-19 14:12:50 Local0.Info 172.24.42.254 pf: 00:00:00.000017 rule 65/8(ip-option): pass in on re0: (tos 0x0, ttl 1, id 16560, offset 0, flags [none], proto IGMP (2), length 40, options (RA)) 2013-01-19 14:12:50 Local0.Info 172.24.42.254 pf: 172.24.48.84 > 224.0.0.22: igmp v3 report, 1 group record(s) [gaddr 224.0.0.252 to_ex, 0 source(s)] 2013-01-19 14:12:51 Local0.Info 172.24.42.254 pf: 00:00:01.636090 rule 2/0(match): block out on pppoe1: (tos 0x0, ttl 127, id 16717, offset 0, flags [DF], proto TCP (6), length 73) 2013-01-19 14:12:51 Local0.Info 172.24.42.254 pf: 199.192.238.25.50874 > 74.125.142.108.993: Flags [P.], cksum 0xf646 (correct), ack 3477012993, win 16646, length 33 2013-01-19 14:12:55 Local0.Info 172.24.42.254 pf: 00:00:03.299385 rule 2/0(match): block out on pppoe1: (tos 0x0, ttl 127, id 16810, offset 0, flags [none], proto TCP (6), length 73) 2013-01-19 14:12:55 Local0.Info 172.24.42.254 pf: 199.192.238.25.64636 > 74.125.142.108.993: Flags [P.], cksum 0xc084 (correct), ack 3477012993, win 16646, length 33 2013-01-19 14:12:58 Local0.Info 172.24.42.254 pf: 00:00:03.300201 rule 2/0(match): block out on pppoe1: (tos 0x0, ttl 127, id 16850, offset 0, flags [none], proto TCP (6), length 73) 2013-01-19 14:12:58 Local0.Info 172.24.42.254 pf: 199.192.238.25.32735 > 74.125.142.108.993: Flags [P.], cksum 0x3d22 (correct), ack 3477012993, win 16646, length 33 2013-01-19 14:13:01 Local0.Info 172.24.42.254 pf: 00:00:03.299921 rule 2/0(match): block out on pppoe1: (tos 0x0, ttl 127, id 16866, offset 0, flags [DF], proto TCP (6), length 73) 2013-01-19 14:13:01 Local0.Info 172.24.42.254 pf: 199.192.238.25.19486 > 74.125.142.108.993: Flags [P.], cksum 0x70e3 (correct), ack 3477012993, win 16646, length 33 2013-01-19 14:13:08 Local0.Info 172.24.42.254 pf: 00:00:06.600618 rule 2/0(match): block out on pppoe1: (tos 0x0, ttl 127, id 16904, offset 0, flags [DF], proto TCP (6), length 73) 2013-01-19 14:13:08 Local0.Info 172.24.42.254 pf: 199.192.238.25.22116 > 74.125.142.108.993: Flags [P.], cksum 0x669d (correct), ack 3477012993, win 16646, length 33 2013-01-19 14:13:21 Local0.Info 172.24.42.254 pf: 00:00:13.199589 rule 2/0(match): block out on pppoe1: (tos 0x0, ttl 127, id 17111, offset 0, flags [DF], proto TCP (6), length 73) 2013-01-19 14:13:21 Local0.Info 172.24.42.254 pf: 199.192.238.25.9343 > 74.125.142.108.993: Flags [P.], cksum 0x9882 (correct), ack 3477012993, win 16646, length 33 2013-01-19 14:13:35 Local0.Info 172.24.42.254 pf: 00:00:12.622297 rule 65/8(ip-option): pass in on bridge0: (tos 0x0, ttl 1, id 17781, offset 0, flags [none], proto IGMP (2), length 40, options (RA)) 2013-01-19 14:13:35 Local0.Info 172.24.42.254 pf: 172.24.48.84 > 224.0.0.22: igmp v3 report, 1 group record(s) [gaddr 224.0.0.252 to_in, 0 source(s)] 2013-01-19 14:13:35 Local0.Info 172.24.42.254 pf: 00:00:00.000076 rule 65/8(ip-option): pass in on re0: (tos 0x0, ttl 1, id 17781, offset 0, flags [none], proto IGMP (2), length 40, options (RA)) 2013-01-19 14:13:35 Local0.Info 172.24.42.254 pf: 172.24.48.84 > 224.0.0.22: igmp v3 report, 1 group record(s) [gaddr 224.0.0.252 to_in, 0 source(s)] 2013-01-19 14:13:35 Local0.Info 172.24.42.254 pf: 00:00:00.005870 rule 65/8(ip-option): pass in on re0: (tos 0x0, ttl 1, id 17783, offset 0, flags [none], proto IGMP (2), length 40, options (RA)) 2013-01-19 14:13:35 Local0.Info 172.24.42.254 pf: 172.24.48.84 > 224.0.0.22: igmp v3 report, 1 group record(s) [gaddr 224.0.0.252 to_ex, 0 source(s)] 2013-01-19 14:13:35 Local0.Info 172.24.42.254 pf: 00:00:00.000030 rule 65/8(ip-option): pass in on bridge0: (tos 0x0, ttl 1, id 17783, offset 0, flags [none], proto IGMP (2), length 40, options (RA)) 2013-01-19 14:13:35 Local0.Info 172.24.42.254 pf: 172.24.48.84 > 224.0.0.22: igmp v3 report, 1 group record(s) [gaddr 224.0.0.252 to_ex, 0 source(s)] 2013-01-19 14:13:35 Local0.Info 172.24.42.254 pf: 00:00:00.000014 rule 65/8(ip-option): pass in on re0: (tos 0x0, ttl 1, id 17783, offset 0, flags [none], proto IGMP (2), length 40, options (RA)) 2013-01-19 14:13:35 Local0.Info 172.24.42.254 pf: 172.24.48.84 > 224.0.0.22: igmp v3 report, 1 group record(s) [gaddr 224.0.0.252 to_ex, 0 source(s)] 2013-01-19 14:13:35 Local0.Info 172.24.42.254 pf: 00:00:00.005717 rule 65/8(ip-option): pass in on re0: (tos 0x0, ttl 1, id 17785, offset 0, flags [none], proto IGMP (2), length 40, options (RA)) 2013-01-19 14:13:35 Local0.Info 172.24.42.254 pf: 172.24.48.84 > 224.0.0.22: igmp v3 report, 1 group record(s) [gaddr 224.0.0.252 to_in, 0 source(s)] 2013-01-19 14:13:35 Local0.Info 172.24.42.254 pf: 00:00:00.000027 rule 65/8(ip-option): pass in on bridge0: (tos 0x0, ttl 1, id 17785, offset 0, flags [none], proto IGMP (2), length 40, options (RA)) 2013-01-19 14:13:35 Local0.Info 172.24.42.254 pf: 172.24.48.84 > 224.0.0.22: igmp v3 report, 1 group record(s) [gaddr 224.0.0.252 to_in, 0 source(s)] 2013-01-19 14:13:35 Local0.Info 172.24.42.254 pf: 00:00:00.000014 rule 65/8(ip-option): pass in on re0: (tos 0x0, ttl 1, id 17785, offset 0, flags [none], proto IGMP (2), length 40, options (RA)) 2013-01-19 14:13:35 Local0.Info 172.24.42.254 pf: 172.24.48.84 > 224.0.0.22: igmp v3 report, 1 group record(s) [gaddr 224.0.0.252 to_in, 0 source(s)] 2013-01-19 14:13:35 Local0.Info 172.24.42.254 pf: 00:00:00.000090 rule 65/8(ip-option): pass in on re0: (tos 0x0, ttl 1, id 17786, offset 0, flags [none], proto IGMP (2), length 40, options (RA)) 2013-01-19 14:13:35 Local0.Info 172.24.42.254 pf: 172.24.48.84 > 224.0.0.22: igmp v3 report, 1 group record(s) [gaddr 224.0.0.252 to_ex, 0 source(s)] 2013-01-19 14:13:35 Local0.Info 172.24.42.254 pf: 00:00:00.000024 rule 65/8(ip-option): pass in on bridge0: (tos 0x0, ttl 1, id 17786, offset 0, flags [none], proto IGMP (2), length 40, options (RA)) 2013-01-19 14:13:35 Local0.Info 172.24.42.254 pf: 172.24.48.84 > 224.0.0.22: igmp v3 report, 1 group record(s) [gaddr 224.0.0.252 to_ex, 0 source(s)] 2013-01-19 14:13:35 Local0.Info 172.24.42.254 pf: 00:00:00.000013 rule 65/8(ip-option): pass in on re0: (tos 0x0, ttl 1, id 17786, offset 0, flags [none], proto IGMP (2), length 40, options (RA)) 2013-01-19 14:13:35 Local0.Info 172.24.42.254 pf: 172.24.48.84 > 224.0.0.22: igmp v3 report, 1 group record(s) [gaddr 224.0.0.252 to_ex, 0 source(s)] 2013-01-19 14:13:35 Local0.Info 172.24.42.254 pf: 00:00:00.029238 rule 65/8(ip-option): pass in on re0: (tos 0x0, ttl 1, id 17789, offset 0, flags [none], proto IGMP (2), length 40, options (RA)) 2013-01-19 14:13:35 Local0.Info 172.24.42.254 pf: 172.24.48.84 > 224.0.0.22: igmp v3 report, 1 group record(s) [gaddr 224.0.0.252 to_ex, 0 source(s)] 2013-01-19 14:13:35 Local0.Info 172.24.42.254 pf: 00:00:00.000033 rule 65/8(ip-option): pass in on bridge0: (tos 0x0, ttl 1, id 17789, offset 0, flags [none], proto IGMP (2), length 40, options (RA)) 2013-01-19 14:13:35 Local0.Info 172.24.42.254 pf: 172.24.48.84 > 224.0.0.22: igmp v3 report, 1 group record(s) [gaddr 224.0.0.252 to_ex, 0 source(s)] 2013-01-19 14:13:35 Local0.Info 172.24.42.254 pf: 00:00:00.000014 rule 65/8(ip-option): pass in on re0: (tos 0x0, ttl 1, id 17789, offset 0, flags [none], proto IGMP (2), length 40, options (RA)) 2013-01-19 14:13:35 Local0.Info 172.24.42.254 pf: 172.24.48.84 > 224.0.0.22: igmp v3 report, 1 group record(s) [gaddr 224.0.0.252 to_ex, 0 source(s)] 2013-01-19 14:13:35 Local0.Info 172.24.42.254 pf: 00:00:00.273112 rule 65/8(ip-option): pass in on re0: (tos 0x0, ttl 1, id 17822, offset 0, flags [none], proto IGMP (2), length 40, options (RA)) 2013-01-19 14:13:35 Local0.Info 172.24.42.254 pf: 172.24.48.84 > 224.0.0.22: igmp v3 report, 1 group record(s) [gaddr 224.0.0.252 to_in, 0 source(s)] 2013-01-19 14:13:35 Local0.Info 172.24.42.254 pf: 00:00:00.000032 rule 65/8(ip-option): pass in on bridge0: (tos 0x0, ttl 1, id 17822, offset 0, flags [none], proto IGMP (2), length 40, options (RA)) 2013-01-19 14:13:35 Local0.Info 172.24.42.254 pf: 172.24.48.84 > 224.0.0.22: igmp v3 report, 1 group record(s) [gaddr 224.0.0.252 to_in, 0 source(s)] 2013-01-19 14:13:35 Local0.Info 172.24.42.254 pf: 00:00:00.000013 rule 65/8(ip-option): pass in on re0: (tos 0x0, ttl 1, id 17822, offset 0, flags [none], proto IGMP (2), length 40, options (RA)) 2013-01-19 14:13:35 Local0.Info 172.24.42.254 pf: 172.24.48.84 > 224.0.0.22: igmp v3 report, 1 group record(s) [gaddr 224.0.0.252 to_in, 0 source(s)] 2013-01-19 14:13:35 Local0.Info 172.24.42.254 pf: 00:00:00.000091 rule 65/8(ip-option): pass in on re0: (tos 0x0, ttl 1, id 17823, offset 0, flags [none], proto IGMP (2), length 40, options (RA)) 2013-01-19 14:13:35 Local0.Info 172.24.42.254 pf: 172.24.48.84 > 224.0.0.22: igmp v3 report, 1 group record(s) [gaddr 224.0.0.252 to_ex, 0 source(s)] 2013-01-19 14:13:35 Local0.Info 172.24.42.254 pf: 00:00:00.000022 rule 65/8(ip-option): pass in on bridge0: (tos 0x0, ttl 1, id 17823, offset 0, flags [none], proto IGMP (2), length 40, options (RA)) 2013-01-19 14:13:35 Local0.Info 172.24.42.254 pf: 172.24.48.84 > 224.0.0.22: igmp v3 report, 1 group record(s) [gaddr 224.0.0.252 to_ex, 0 source(s)] 2013-01-19 14:13:35 Local0.Info 172.24.42.254 pf: 00:00:00.000013 rule 65/8(ip-option): pass in on re0: (tos 0x0, ttl 1, id 17823, offset 0, flags [none], proto IGMP (2), length 40, options (RA)) 2013-01-19 14:13:35 Local0.Info 172.24.42.254 pf: 172.24.48.84 > 224.0.0.22: igmp v3 report, 1 group record(s) [gaddr 224.0.0.252 to_ex, 0 source(s)] 2013-01-19 14:13:35 Local0.Info 172.24.42.254 pf: 00:00:00.226790 rule 65/8(ip-option): pass in on re0: (tos 0x0, ttl 1, id 17850, offset 0, flags [none], proto IGMP (2), length 40, options (RA)) 2013-01-19 14:13:35 Local0.Info 172.24.42.254 pf: 172.24.48.84 > 224.0.0.22: igmp v3 report, 1 group record(s) [gaddr 224.0.0.252 to_ex, 0 source(s)] 2013-01-19 14:13:35 Local0.Info 172.24.42.254 pf: 00:00:00.000058 rule 65/8(ip-option): pass in on bridge0: (tos 0x0, ttl 1, id 17850, offset 0, flags [none], proto IGMP (2), length 40, options (RA)) 2013-01-19 14:13:35 Local0.Info 172.24.42.254 pf: 172.24.48.84 > 224.0.0.22: igmp v3 report, 1 group record(s) [gaddr 224.0.0.252 to_ex, 0 source(s)] 2013-01-19 14:13:35 Local0.Info 172.24.42.254 pf: 00:00:00.000014 rule 65/8(ip-option): pass in on re0: (tos 0x0, ttl 1, id 17850, offset 0, flags [none], proto IGMP (2), length 40, options (RA)) 2013-01-19 14:13:35 Local0.Info 172.24.42.254 pf: 172.24.48.84 > 224.0.0.22: igmp v3 report, 1 group record(s) [gaddr 224.0.0.252 to_ex, 0 source(s)] 2013-01-19 14:13:48 Local0.Info 172.24.42.254 pf: 00:00:13.135819 rule 2/0(match): block out on pppoe1: (tos 0x0, ttl 127, id 18585, offset 0, flags [DF], proto TCP (6), length 40) 2013-01-19 14:13:48 Local0.Info 172.24.42.254 pf: 199.192.238.25.40730 > 74.125.142.108.993: Flags [R.], cksum 0xc6b7 (correct), seq 2407487129, ack 3477012993, win 0, length 0 2013-01-19 14:15:00 Cron.Info 172.24.42.254 /usr/sbin/cron[32497]: (root) CMD (/usr/bin/nice -n20 /usr/local/bin/php -f /usr/local/pkg/snort/snort_check_cron_misc.inc) 2013-01-19 14:15:00 Cron.Info 172.24.42.254 /usr/sbin/cron[32222]: (root) CMD (/usr/bin/nice -n20 /usr/local/sbin/expiretable -t 10800 snort2c) 2013-01-19 14:15:03 Local0.Info 172.24.42.254 pf: 00:01:14.950986 rule 65/8(ip-option): pass in on bridge0: (tos 0x0, ttl 1, id 2750, offset 0, flags [none], proto IGMP (2), length 40, options (RA)) 2013-01-19 14:15:03 Local0.Info 172.24.42.254 pf: 172.24.48.32 > 224.0.0.22: igmp v3 report, 1 group record(s) [gaddr 224.0.0.253 to_ex, 0 source(s)] 2013-01-19 14:15:03 Local0.Info 172.24.42.254 pf: 00:00:00.000021 rule 65/8(ip-option): pass in on re0: (tos 0x0, ttl 1, id 2750, offset 0, flags [none], proto IGMP (2), length 40, options (RA)) 2013-01-19 14:15:03 Local0.Info 172.24.42.254 pf: 172.24.48.32 > 224.0.0.22: igmp v3 report, 1 group record(s) [gaddr 224.0.0.253 to_ex, 0 source(s)] 2013-01-19 14:15:03 Local0.Info 172.24.42.254 pf: 00:00:00.055303 rule 65/8(ip-option): pass in on re0: (tos 0x0, ttl 1, id 2753, offset 0, flags [none], proto IGMP (2), length 40, options (RA)) 2013-01-19 14:15:03 Local0.Info 172.24.42.254 pf: 172.24.48.32 > 224.0.0.22: igmp v3 report, 1 group record(s) [gaddr 224.0.0.252 to_in, 0 source(s)] 2013-01-19 14:15:03 Local0.Info 172.24.42.254 pf: 00:00:00.000022 rule 65/8(ip-option): pass in on bridge0: (tos 0x0, ttl 1, id 2753, offset 0, flags [none], proto IGMP (2), length 40, options (RA)) 2013-01-19 14:15:03 Local0.Info 172.24.42.254 pf: 172.24.48.32 > 224.0.0.22: igmp v3 report, 1 group record(s) [gaddr 224.0.0.252 to_in, 0 source(s)] 2013-01-19 14:15:03 Local0.Info 172.24.42.254 pf: 00:00:00.000009 rule 65/8(ip-option): pass in on re0: (tos 0x0, ttl 1, id 2753, offset 0, flags [none], proto IGMP (2), length 40, options (RA)) 2013-01-19 14:15:03 Local0.Info 172.24.42.254 pf: 172.24.48.32 > 224.0.0.22: igmp v3 report, 1 group record(s) [gaddr 224.0.0.252 to_in, 0 source(s)] 2013-01-19 14:15:03 Local0.Info 172.24.42.254 pf: 00:00:00.083522 rule 65/8(ip-option): pass in on re0: (tos 0x0, ttl 1, id 2755, offset 0, flags [none], proto IGMP (2), length 40, options (RA)) 2013-01-19 14:15:03 Local0.Info 172.24.42.254 pf: 172.24.48.32 > 224.0.0.22: igmp v3 report, 1 group record(s) [gaddr 224.0.0.252 to_ex, 0 source(s)] 2013-01-19 14:15:03 Local0.Info 172.24.42.254 pf: 00:00:00.000028 rule 65/8(ip-option): pass in on bridge0: (tos 0x0, ttl 1, id 2755, offset 0, flags [none], proto IGMP (2), length 40, options (RA)) 2013-01-19 14:15:03 Local0.Info 172.24.42.254 pf: 172.24.48.32 > 224.0.0.22: igmp v3 report, 1 group record(s) [gaddr 224.0.0.252 to_ex, 0 source(s)] 2013-01-19 14:15:03 Local0.Info 172.24.42.254 pf: 00:00:00.000009 rule 65/8(ip-option): pass in on re0: (tos 0x0, ttl 1, id 2755, offset 0, flags [none], proto IGMP (2), length 40, options (RA)) 2013-01-19 14:15:03 Local0.Info 172.24.42.254 pf: 172.24.48.32 > 224.0.0.22: igmp v3 report, 1 group record(s) [gaddr 224.0.0.252 to_ex, 0 source(s)] 2013-01-19 14:15:04 Local0.Info 172.24.42.254 pf: 00:00:00.230214 rule 65/8(ip-option): pass in on re0: (tos 0x0, ttl 1, id 2757, offset 0, flags [none], proto IGMP (2), length 48, options (RA)) 2013-01-19 14:15:04 Local0.Info 172.24.42.254 pf: 172.24.48.32 > 224.0.0.22: igmp v3 report, 2 group record(s) [gaddr 224.0.0.253 to_ex, 0 source(s)] [gaddr 224.0.0.252 to_ex, 0 source(s)] 2013-01-19 14:15:04 Local0.Info 172.24.42.254 pf: 00:00:00.000057 rule 65/8(ip-option): pass in on bridge0: (tos 0x0, ttl 1, id 2757, offset 0, flags [none], proto IGMP (2), length 48, options (RA)) 2013-01-19 14:15:04 Local0.Info 172.24.42.254 pf: 172.24.48.32 > 224.0.0.22: igmp v3 report, 2 group record(s) [gaddr 224.0.0.253 to_ex, 0 source(s)] [gaddr 224.0.0.252 to_ex, 0 source(s)] 2013-01-19 14:15:04 Local0.Info 172.24.42.254 pf: 00:00:00.000014 rule 65/8(ip-option): pass in on re0: (tos 0x0, ttl 1, id 2757, offset 0, flags [none], proto IGMP (2), length 48, options (RA)) 2013-01-19 14:15:04 Local0.Info 172.24.42.254 pf: 172.24.48.32 > 224.0.0.22: igmp v3 report, 2 group record(s) [gaddr 224.0.0.253 to_ex, 0 source(s)] [gaddr 224.0.0.252 to_ex, 0 source(s)] 2013-01-19 14:15:04 Local0.Info 172.24.42.254 pf: 172.24.48.32 > 224.0.0.22: igmp v3 report, 1 group record(s) [gaddr 224.0.0.252 to_in, 0 source(s)] 2013-01-19 14:15:04 Local0.Info 172.24.42.254 pf: 00:00:00.000035 rule 65/8(ip-option): pass in on bridge0: (tos 0x0, ttl 1, id 2762, offset 0, flags [none], proto IGMP (2), length 40, options (RA)) 2013-01-19 14:15:04 Local0.Info 172.24.42.254 pf: 172.24.48.32 > 224.0.0.22: igmp v3 report, 1 group record(s) [gaddr 224.0.0.252 to_in, 0 source(s)] 2013-01-19 14:15:04 Local0.Info 172.24.42.254 pf: 00:00:00.000050 rule 65/8(ip-option): pass in on re0: (tos 0x0, ttl 1, id 2762, offset 0, flags [none], proto IGMP (2), length 40, options (RA)) 2013-01-19 14:15:04 Local0.Info 172.24.42.254 pf: 172.24.48.32 > 224.0.0.22: igmp v3 report, 1 group record(s) [gaddr 224.0.0.252 to_in, 0 source(s)] 2013-01-19 14:15:04 Local0.Info 172.24.42.254 pf: 00:00:00.061596 rule 65/8(ip-option): pass in on re0: (tos 0x0, ttl 1, id 2764, offset 0, flags [none], proto IGMP (2), length 40, options (RA)) 2013-01-19 14:15:04 Local0.Info 172.24.42.254 pf: 172.24.48.32 > 224.0.0.22: igmp v3 report, 1 group record(s) [gaddr 224.0.0.252 to_ex, 0 source(s)] 2013-01-19 14:15:04 Local0.Info 172.24.42.254 pf: 00:00:00.000035 rule 65/8(ip-option): pass in on bridge0: (tos 0x0, ttl 1, id 2764, offset 0, flags [none], proto IGMP (2), length 40, options (RA)) 2013-01-19 14:15:04 Local0.Info 172.24.42.254 pf: 172.24.48.32 > 224.0.0.22: igmp v3 report, 1 group record(s) [gaddr 224.0.0.252 to_ex, 0 source(s)] 2013-01-19 14:15:04 Local0.Info 172.24.42.254 pf: 00:00:00.000013 rule 65/8(ip-option): pass in on re0: (tos 0x0, ttl 1, id 2764, offset 0, flags [none], proto IGMP (2), length 40, options (RA)) 2013-01-19 14:15:04 Local0.Info 172.24.42.254 pf: 172.24.48.32 > 224.0.0.22: igmp v3 report, 1 group record(s) [gaddr 224.0.0.252 to_ex, 0 source(s)] 2013-01-19 14:15:04 Local0.Info 172.24.42.254 pf: 00:00:00.093995 rule 65/8(ip-option): pass in on re0: (tos 0x0, ttl 1, id 2766, offset 0, flags [none], proto IGMP (2), length 40, options (RA)) 2013-01-19 14:15:04 Local0.Info 172.24.42.254 pf: 172.24.48.32 > 224.0.0.22: igmp v3 report, 1 group record(s) [gaddr 224.0.0.252 to_ex, 0 source(s)] 2013-01-19 14:15:04 Local0.Info 172.24.42.254 pf: 00:00:00.000065 rule 65/8(ip-option): pass in on bridge0: (tos 0x0, ttl 1, id 2766, offset 0, flags [none], proto IGMP (2), length 40, options (RA)) 2013-01-19 14:15:04 Local0.Info 172.24.42.254 pf: 172.24.48.32 > 224.0.0.22: igmp v3 report, 1 group record(s) [gaddr 224.0.0.252 to_ex, 0 source(s)] 2013-01-19 14:15:04 Local0.Info 172.24.42.254 pf: 00:00:00.000016 rule 65/8(ip-option): pass in on re0: (tos 0x0, ttl 1, id 2766, offset 0, flags [none], proto IGMP (2), length 40, options (RA)) 2013-01-19 14:15:04 Local0.Info 172.24.42.254 pf: 172.24.48.32 > 224.0.0.22: igmp v3 report, 1 group record(s) [gaddr 224.0.0.252 to_ex, 0 source(s)] 2013-01-19 14:15:10 Local0.Info 172.24.42.254 pf: 00:00:05.917517 rule 1/0(match): block in on pppoe1: (tos 0x0, ttl 115, id 21877, offset 0, flags [none], proto UDP (17), length 58) 2013-01-19 14:15:10 Local0.Info 172.24.42.254 pf: 24.89.231.188.62691 > 199.192.238.25.26836: UDP, length 30 2013-01-19 14:15:13 Local0.Info 172.24.42.254 pf: 00:00:02.577828 rule 1/0(match): block in on pppoe1: (tos 0x0, ttl 115, id 22126, offset 0, flags [none], proto UDP (17), length 58) 2013-01-19 14:15:13 Local0.Info 172.24.42.254 pf: 24.89.231.188.62691 > 199.192.238.25.26836: UDP, length 30 2013-01-19 14:15:16 Local0.Info 172.24.42.254 pf: 00:00:03.256166 rule 1/0(match): block in on pppoe1: (tos 0x0, ttl 115, id 22435, offset 0, flags [none], proto UDP (17), length 58) 2013-01-19 14:15:16 Local0.Info 172.24.42.254 pf: 24.89.231.188.62691 > 199.192.238.25.26836: UDP, length 30 2013-01-19 14:15:19 Local0.Info 172.24.42.254 pf: 00:00:03.348764 rule 1/0(match): block in on pppoe1: (tos 0x0, ttl 115, id 22826, offset 0, flags [none], proto UDP (17), length 58) 2013-01-19 14:15:19 Local0.Info 172.24.42.254 pf: 24.89.231.188.62691 > 199.192.238.25.26836: UDP, length 30 2013-01-19 14:15:24 Local0.Info 172.24.42.254 pf: 00:00:05.043766 rule 1/0(match): block in on pppoe1: (tos 0x0, ttl 115, id 23506, offset 0, flags [none], proto UDP (17), length 58) 2013-01-19 14:15:24 Local0.Info 172.24.42.254 pf: 24.89.231.188.62691 > 199.192.238.25.26836: UDP, length 30 2013-01-19 14:15:25 Local0.Info 172.24.42.254 pf: 00:00:00.364758 rule 54/0(match): pass in on pppoe1: (tos 0x0, ttl 46, id 38524, offset 0, flags [none], proto ICMP (1), length 76) 2013-01-19 14:15:25 Local0.Info 172.24.42.254 pf: 69.205.234.29 > 199.192.238.25: ICMP host 192.168.1.25 unreachable, length 56 2013-01-19 14:15:25 Local0.Info 172.24.42.254 pf: <009>(tos 0x0, ttl 109, id 5705, offset 0, flags [none], proto UDP (17), length 48) 2013-01-19 14:15:25 Local0.Info 172.24.42.254 pf: 199.192.238.25.32662 > 192.168.1.25.13826: UDP, length 20 2013-01-19 14:15:30 Local0.Info 172.24.42.254 pf: 00:00:05.546332 rule 1/0(match): block -
Can you please test the latest package and see if it behaves better?
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.