Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    RFC (make up a number not in use) - Blueprint for setting up snort + pfblocker

    Scheduled Pinned Locked Moved pfSense Packages
    171 Posts 26 Posters 186.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • ?
      A Former User
      last edited by

      New lists are out. Get prepared for next week's cyber attack now. The authorization was just cleared. Expect a "Keeping You Scared" appearance by Diane (note to the FBI operative reading this: If you can, please contact her and tell her Pegasus will fly low). The scenario is Russian spies will attempt to infiltrate NSA's systems, and in retaliation, NSA will launch an attack. Don't get caught in the crossfire. Update your snort configuration now! The actual attack will start a couple of days before Christmas, to keep the "covert" part obvious.

      Update notes: All lists have a >>>DISABLED:# on the bottom. Scrolling down in your pfsense and checking the numbers in a list there shows you in a glance if the list is identical to what is shown here.

      –------------------------------------------------------------------------------------------------------------------------------------------------
      In tab "Rules", under "Category" select:
      (--- means blank table at time of writing)

      emerging-activex > all

      DISABLED:0

      emerging-attack_responses > all

      DISABLED:0

      DO NOT USE! > emerging-botcc > use pfblocker with: http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt

      emerging-chat > all except:
      2010784 ET CHAT Facebook Chat (send message)
      2010785 ET CHAT Facebook Chat (buddy list)
      2010786 ET CHAT Facebook Chat (settings)
      2010819 ET CHAT Facebook Chat using XMPP
      2002327 ET CHAT Google Talk (Jabber) Client Login
      2002334 ET CHAT Google IM traffic Jabber client sign-on
      2001241 ET CHAT MSN file transfer request
      2001242 ET CHAT MSN file transfer accept
      2001243 ET CHAT MSN file transfer reject
      2001682 ET CHAT MSN IM Poll via HTTP
      2002192 ET CHAT MSN status change
      2008289 ET CHAT Possible MSN Messenger File Transfer
      2009375 ET CHAT General MSN Chat Activity
      2009376 ET CHAT MSN User-Agent Activity
      2001595 ET CHAT Skype VOIP Checking Version (Startup)
      2002157 ET CHAT Skype User-Agent detected
      2003022 ET CHAT Skype Bootstrap Node (udp)

      DISABLED:17

      DO NOT USE! > emerging-ciarmy > use pfblocker with: http://www.ciarmy.com/list/ci-badguys.txt

      DO NOT USE! > emerging-compromised > use pfblocker with: http://rules.emergingthreats.net/blockrules/compromised-ips.txt

      emerging-current_events > all

      DISABLED:0

      emerging-deleted > ---

      emerging-dns > all except:
      2008446 ET DNS Excessive DNS Responses with 1 or more RR's (100+ in 10 seconds) - possible Cache Poisoning Attempt
      2008470 ET DNS Excessive NXDOMAIN responses - Possible DNS Backscatter or Domain Generation Algorithm Lookups
      2001117 ET DNS Standard query response, Name Error

      DISABLED:3

      emerging-dos > all

      DISABLED:0

      DO NOT USE! > emerging-drop > use pfblocker with: http://list.iblocklist.com/?list=sh_drop&fileformat=p2p

      DO NOT USE! > emerging-dshield > use pfblocker with: (cannot find specific list, but ip listed in pfblocker tables, NEED HELP HERE<<<<) Could be due to ET list used by pfblocker. http://rules.emergingthreats.net/blockrules/compromised-ips.txt <<< includes IP related to different subjects, so its a misc list, likely including the hosts I could not find on specific lists.

      emerging-exploit > all except:
      2001058 ET EXPLOIT libpng tRNS overflow attempt
      2002913 ET EXPLOIT VNC Client response
      2002914 ET EXPLOIT VNC Server VNC Auth Offer
      2002919 ET EXPLOIT VNC Good Authentication Reply
      2002915 ET EXPLOIT VNC Authentication Reply
      2002758 ET EXPLOIT WMF Escape Record Exploit - Version 1
      2002742 ET EXPLOIT WMF Escape Record Exploit - Version 3

      DISABLED:7

      emerging-ftp > all

      DISABLED:0

      emerging-games > all

      DISABLED:0

      emerging-icmp > ---

      emerging-icmp_info > ---

      emerging-imap > ---

      emerging-inappropriate > all except:
      2002925 ET INAPPROPRIATE Google Image Search, Safe Mode Off
      2001608 ET INAPPROPRIATE Likely Porn

      DISABLED:2

      emerging-info > all except:
      2014472 ET INFO JAVA - Java Archive Download
      2014473 ET INFO JAVA - Java Archive Download By Vulnerable Client
      2014819 ET INFO Packed Executable Download
      2015016 ET INFO FTP STOR to External Network
      2015561 ET INFO PDF Using CCITTFax Filter
      2015744 ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
      2016360 ET INFO JAVA - ClassID
      2016361 ET INFO JAVA - ClassID
      2016404 ET INFO MPEG Download Over HTTP (1)
      2015674 ET INFO 3XX redirect to data URL
      2016847 ET INFO Possible Chrome Plugin install
      2017669 ET INFO Zip File

      DISABLED:12

      emerging-malware > all except:
      2008438 ET MALWARE Possible Windows executable sent when remote host claims to send a Text File
      2012228 ET MALWARE Suspicious Russian Content-Language Ru Which May Be Malware Related
      2012229 ET MALWARE Suspicious Chinese Content-Language zh-cn Which May be Malware Related

      DISABLED:3

      emerging-misc > all

      DISABLED:0

      emerging-mobile_malware > all except:
      2012251 ET MOBILE_MALWARE Google Android Device HTTP Request
      2012848 ET MOBILE_MALWARE Possible Mobile Malware POST of IMEI International Mobile Equipment Identity in URI

      DISABLED:2

      emerging-netbios > all

      DISABLED:0

      emerging-p2p > all except:
      2000369 ET P2P BitTorrent Announce
      2007727 ET P2P possible torrent download
      2008581 ET P2P BitTorrent DHT ping request
      2008583 ET P2P BitTorrent DHT nodes reply
      2008585 ET P2P BitTorrent DHT announce_peers request
      2010144 ET P2P Vuze BT UDP Connection (5)
      2011699 ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x)
      2016662 ET P2P Possible Bittorrent Activity - Multiple DNS Queries For tracker hosts
      2014734 ET P2P BitTorrent - Torrent File Downloaded
      2003317 ET P2P Edonkey Search Request (any type file)
      2009971 ET P2P eMule KAD Network Hello Request (2)
      2013869 ET P2P Torrent Client User-Agent (Solid Core/0.82)

      DISABLED:12

      emerging-policy > all except:
      2000419 ET POLICY PE EXE or DLL Windows file download
      2000428 ET POLICY ZIP file download
      2001115 ET POLICY MSI (microsoft installer file) download
      2003595 ET POLICY exe download via HTTP - Informational
      2001898 ET POLICY eBay Bid Placed
      2001907 ET POLICY eBay Placing Item for sale
      2001908 ET POLICY eBay View Item
      2001909 ET POLICY eBay Watch This Item
      2003303 ET POLICY FTP Login Attempt (non-anonymous)
      2003410 ET POLICY FTP Login Successful
      2003121 ET POLICY docs.google.com Activity
      2003597 ET POLICY Google Calendar in Use
      2002801 ET POLICY Google Desktop User-Agent Detected
      2002838 ET POLICY Google Search Appliance browsing the Internet
      2000035 ET POLICY Hotmail Inbox Access
      2000036 ET POLICY Hotmail Message Access
      2000037 ET POLICY Hotmail Compose Message Access
      2000038 ET POLICY Hotmail Compose Message Submit
      2000039 ET POLICY Hotmail Compose Message Submit Data
      2008238 ET POLICY Hotmail Inbox Access
      2008239 ET POLICY Hotmail Message Access
      2008240 ET POLICY Hotmail Compose Message Access
      2008242 ET POLICY Hotmail Access Full Mode
      2006408 ET POLICY HTTP Request on Unusual Port Possibly Hostile
      2006409 ET POLICY HTTP POST on unusual Port Possibly Hostile
      2002330 ET POLICY Google Talk TLS Client Traffic
      2002332 ET POLICY Google IM traffic Windows client user sign-on
      2002333 ET POLICY Google IM traffic friend invited
      2002878 ET POLICY iTunes User Agent
      2002722 ET POLICY MP3 File Transfer Outbound
      2002723 ET POLICY MP3 File Transfer Inbound
      2001114 ET POLICY Mozilla XPI install files download
      2001973 ET POLICY SSH Server Banner Detected on Expected Port
      2001974 ET POLICY SSH Client Banner Detected on Expected Port
      2001975 ET POLICY SSHv2 Server KEX Detected on Expected Port
      2001976 ET POLICY SSHv2 Client KEX Detected on Expected Port
      2001977 ET POLICY SSHv2 Client New Keys detected on Expected Port
      2001978 ET POLICY SSH session in progress on Expected Port
      2001979 ET POLICY SSH Server Banner Detected on Unusual Port
      2001980 ET POLICY SSH Client Banner Detected on Unusual Port
      2001981 ET POLICY SSHv2 Server KEX Detected on Unusual Port
      2001982 ET POLICY SSHv2 Client KEX Detected on Unusual Port
      2001983 ET POLICY SSHv2 Client New Keys Detected on Unusual Port
      2001984 ET POLICY SSH session in progress on Unusual Port
      2009001 ET POLICY Login Credentials Possibly Passed in URI
      2009004 ET POLICY Login Credentials Possibly Passed in POST Data
      2003214 ET POLICY Pingdom.com Monitoring detected
      2003215 ET POLICY Pingdom.com Monitoring Node Active
      2001669 ET POLICY Proxy GET Request
      2001670 ET POLICY Proxy HEAD Request
      2001674 ET POLICY Proxy POST Request
      2001675 ET POLICY Proxy CONNECT Request
      2002922 ET POLICY VNC Authentication Successful
      2002920 ET POLICY VNC Authentication Failure
      2003026 ET POLICY Known SSL traffic on port 443 being excluded from SSL Alerts
      2004598 ET POLICY Known SSL traffic on port 9001 (aol) being excluded from SSL Alerts
      2003027 ET POLICY Known SSL traffic on port 8000 being excluded from SSL Alerts
      2003028 ET POLICY Known SSL traffic on port 8080 being excluded from SSL Alerts
      2003029 ET POLICY Known SSL traffic on port 8200 being excluded from SSL Alerts
      2003030 ET POLICY Known SSL traffic on port 8443 being excluded from SSL Alerts
      2003033 ET POLICY Known SSL traffic on port 2967 (Symantec) being excluded from SSL Alerts
      2003035 ET POLICY Known SSL traffic on port 3128 (proxy) being excluded from SSL Alerts
      2003036 ET POLICY Known SSL traffic on port 8080 (proxy) being excluded from SSL Alerts
      2003037 ET POLICY Known SSL traffic on port 8292 (Bloomberg) being excluded from SSL Alerts
      2003038 ET POLICY Known SSL traffic on port 8294 (Bloomberg) being excluded from SSL Alerts
      2003934 ET POLICY Known SSL traffic on port 1521 (Oracle) being excluded from SSL Alerts
      2008543 ET POLICY Known SSL traffic on port 995 (imaps) being excluded from SSL Alerts
      2003002 ET POLICY TLS/SSL Client Hello on Unusual Port TLS
      2003003 ET POLICY TLS/SSL Client Hello on Unusual Port SSLv3
      2003004 ET POLICY TLS/SSL Client Hello on Unusual Port Case 2
      2003005 ET POLICY TLS/SSL Client Hello on Unusual Port SSLv3
      2003006 ET POLICY TLS/SSL Client Key Exchange on Unusual Port
      2003007 ET POLICY TLS/SSL Client Key Exchange on Unusual Port SSLv3
      2003008 ET POLICY TLS/SSL Client Cipher Set on Unusual Port
      2003009 ET POLICY TLS/SSL Client Cipher Set on Unusual Port SSLv3
      2003010 ET POLICY TLS/SSL Server Hello on Unusual Port
      2003011 ET POLICY TLS/SSL Server Hello on Unusual Port SSLv3
      2003012 ET POLICY TLS/SSL Server Certificate Exchange on Unusual Port
      2003013 ET POLICY TLS/SSL Server Certificate Exchange on Unusual Port SSLv3
      2003014 ET POLICY TLS/SSL Server Key Exchange on Unusual Port
      2003015 ET POLICY TLS/SSL Server Key Exchange on Unusual Port SSLv3
      2003018 ET POLICY TLS/SSL Server Cipher Set on Unusual Port
      2003019 ET POLICY TLS/SSL Server Cipher Set on Unusual Port SSLv3
      2003020 ET POLICY TLS/SSL Encrypted Application Data on Unusual Port
      2003021 ET POLICY TLS/SSL Encrypted Application Data on Unusual Port SSLv3
      2007671 ET POLICY Binary Download Smaller than 1 MB Likely Hostile
      2001449 ET POLICY Proxy Connection detected
      2002822 ET POLICY Wget User Agent
      2002823 ET POLICY POSSIBLE Web Crawl using Wget
      2002824 ET POLICY CURL User Agent
      2002934 ET POLICY libwww-perl User Agent
      2002828 ET POLICY Googlebot User Agent
      2002829 ET POLICY Googlebot Crawl
      2002830 ET POLICY Msnbot User Agent
      2002831 ET POLICY Msnbot Crawl
      2002832 ET POLICY Yahoo Crawler User Agent
      2002833 ET POLICY Yahoo Crawler Crawl
      2010228 ET POLICY Suspicious Microsoft Windows NT 6.1 User-Agent Detected
      2002948 ET POLICY External Windows Update in Progress
      2002949 ET POLICY Windows Update in Progress
      2001402 ET POLICY ZIPPED DOC in transit
      2001403 ET POLICY ZIPPED XLS in transit
      2001404 ET POLICY ZIPPED EXE in transit
      2001405 ET POLICY ZIPPED PPT in transit
      2011874 ET POLICY NSPlayer User-Agent Windows Media Player streaming detected
      2012647 ET POLICY Dropbox.com Offsite File Backup in Use
      2012648 ET POLICY Dropbox Client Broadcasting
      2013028 ET POLICY curl User-Agent Outbound
      2013030 ET POLICY libwww-perl User-Agent
      2013031 ET POLICY Python-urllib/ Suspicious User Agent
      2013290 ET POLICY MOBILE Apple device leaking UDID from SpringBoard via GET
      2013414 ET POLICY Executable served from Amazon S3
      2013458 ET POLICY Facebook Like Button Clicked (1)
      2013459 ET POLICY Facebook Like Button Clicked (2)
      2013503 ET POLICY OS X Software Update Request Outbound
      2013504 ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management
      2013505 ET POLICY GNU/Linux YUM User-Agent Outbound likely related to package management
      2014297 ET POLICY Vulnerable Java Version 1.7.x Detected
      2014313 ET POLICY Executable Download From DropBox
      2014919 ET POLICY Microsoft Online Storage Client Hello TLSv1 Possible SkyDrive (1)
      2014920 ET POLICY Microsoft Online Storage Client Hello TLSv1 Possible SkyDrive (2)
      2017015 ET POLICY DropBox User Content Access over SSL
      2001375 ET POLICY Credit Card Number Detected in Clear (16 digit spaced)
      2001376 ET POLICY Credit Card Number Detected in Clear (16 digit dashed)
      2001377 ET POLICY Credit Card Number Detected in Clear (16 digit)
      2001378 ET POLICY Credit Card Number Detected in Clear (15 digit)
      2001379 ET POLICY Credit Card Number Detected in Clear (15 digit spaced)
      2001380 ET POLICY Credit Card Number Detected in Clear (15 digit dashed)
      2001381 ET POLICY Credit Card Number Detected in Clear (14 digit)
      2001382 ET POLICY Credit Card Number Detected in Clear (14 digit spaced)
      2001383 ET POLICY Credit Card Number Detected in Clear (14 digit dashed)
      2009293 ET POLICY Credit Card Number Detected in Clear (15 digit spaced 2)
      2009294 ET POLICY Credit Card Number Detected in Clear (15 digit dashed 2)
      2001328 ET POLICY SSN Detected in Clear Text (dashed)
      2001384 ET POLICY SSN Detected in Clear Text (spaced)
      2007971 ET POLICY SSN Detected in Clear Text (SSN )
      2007972 ET POLICY SSN Detected in Clear Text (SSN# )
      2011854 ET POLICY Java JAR file download
      2002749 ET POLICY Unallocated IP Space Traffic - Bogon Nets  <<<<<<<< handled by ticking block bogon networks in interface settings
      2002752 ET POLICY Reserved Internal IP Traffic    <<<<<<<<<<<<< handled by ticking block private networks in interface settings
      2000418 ET POLICY Executable and linking format (ELF) file download
      2002658 ET POLICY EIN in the clear (US-IRS Employer ID Number)
      2016877 ET POLICY Unsupported/Fake FireFox Version 2.
      2013296 ET POLICY Free SSL Certificate Provider (StartCom Class 1 Primary Intermediate Server CA)
      2010815 ET POLICY Incoming Connection Attempt From Amazon EC2 Cloud
      2013255 ET POLICY Majestic12 User-Agent Request Inbound
      2014726 ET POLICY Outdated Windows Flash Version IE
      2012911 ET POLICY URL Contains password Parameter
      2011085 ET POLICY HTTP Redirect to IPv4 Address

      DISABLED:149

      emerging-pop3 > ---

      DO NOT USE! > emerging-rbn-malvertisers > use pfblocker with: http://doc.emergingthreats.net/pub/Main/RussianBusinessNetwork/emerging-rbn-malvertisers.txt

      DO NOT USE! > emerging-rbn > use pfblocker with: http://doc.emergingthreats.net/pub/Main/RussianBusinessNetwork/RussianBusinessNetworkIPs.txt

      emerging-rpc > ---

      emerging-scada > all

      DISABLED:0

      emerging-scan > all except
      2002992 ET SCAN Rapid POP3 Connections - Possible Brute Force Attack
      2002993 ET SCAN Rapid POP3S Connections - Possible Brute Force Attack
      2002994 ET SCAN Rapid IMAP Connections - Possible Brute Force Attack
      2002995 ET SCAN Rapid IMAPS Connections - Possible Brute Force Attack

      DISABLED:4

      emerging-shellcode > all except
      2011803 ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected
      2012252 ET SHELLCODE Common 0a0a0a0a Heap Spray String
      2012257 ET SHELLCODE Common %0c%0c%0c%0c Heap Spray String
      2012510 ET SHELLCODE UTF-8/16 Encoded Shellcode
      2013222 ET SHELLCODE Excessive Use of HeapLib Objects Likely Malicious Heap Spray Attempt
      2013267 ET SHELLCODE Hex Obfuscated JavaScript Heap Spray 0a0a0a0a
      2012256 ET SHELLCODE Common 0c0c0c0c Heap Spray String

      DISABLED:7

      emerging-smtp > all

      DISABLED:0

      emerging-snmp > all

      DISABLED:0

      emerging-sql > all

      DISABLED:0

      emerging-telnet > all

      DISABLED:0

      emerging-tftp > all

      DISABLED:0

      DO NOT USE! > emerging-tor > use pfblocker with http://list.iblocklist.com/?list=tor&fileformat=p2p

      emerging-trojan > all except:
      2009205 ET TROJAN Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 1)
      2009206 ET TROJAN Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 4)
      2009207 ET TROJAN Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 5)
      2009208 ET TROJAN Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 16)
      2001046 ET TROJAN UPX compressed file download possible malware

      DISABLED:5

      emerging-user_agents > all except:
      2010697 ET USER_AGENTS Suspicious User-Agent Beginning with digits - Likely spyware/trojan

      DISABLED:1

      emerging-voip > all

      DISABLED:0

      emerging-web_client > all except
      2011347 ET WEB_CLIENT Possible String.FromCharCode Javascript Obfuscation Attempt
      2011507 ET WEB_CLIENT PDF With Embedded File
      2010518 ET WEB_CLIENT Possible HTTP 404 XSS Attempt (External Source)
      2012056 ET WEB_CLIENT Flash Player Flash6.ocx AllowScriptAccess Denial of Service
      2012075 ET WEB_CLIENT Possible Internet Explorer CSS Parser Remote Code Execution Attempt
      2012119 ET WEB_CLIENT Possible Hex Obfuscation Usage On Webpage
      2012205 ET WEB_CLIENT Possible Malicious String.fromCharCode with charCodeAt String
      2012266 ET WEB_CLIENT Hex Obfuscation of unescape % Encoding
      2012272 ET WEB_CLIENT Hex Obfuscation of eval % Encoding
      2012398 ET WEB_CLIENT Hex Obfuscation of replace Javascript Function % Encoding
      2010527 ET WEB_CLIENT Possible HTTP 503 XSS Attempt (External Source)
      2010931 ET WEB_CLIENT Possible IE iepeers.dll Use-after-free Code Execution Attempt

      DISABLED:12

      emerging-web_server > all except
      2003099 ET WEB_SERVER Poison Null Byte
      2015526 ET WEB_SERVER Fake Googlebot UA 1 Inbound
      2015527 ET WEB_SERVER Fake Googlebot UA 2 Inbound
      2016676 ET WEB_SERVER SQL Errors in HTTP 200 Response (ORA-)
      2009151 ET WEB_SERVER PHP Generic Remote File Include Attempt (HTTP)

      DISABLED:5

      emerging-web_specific_apps > all except:
      2010890 ET WEB_SPECIFIC_APPS phpBB3 registration (Step1 GET)
      2010891 ET WEB_SPECIFIC_APPS phpBB3 registration (Step2 POST)
      2010892 ET WEB_SPECIFIC_APPS phpBB3 registration (Step3 GET)
      2010893 ET WEB_SPECIFIC_APPS phpBB3 registration (Step4 POST)
      2003508 ET WEB_SPECIFIC_APPS Wordpress wp-login.php redirect_to credentials stealing attempt

      DISABLED:5

      emerging-worm > all

      DISABLED:0

      GPLv2 community rules > all except
      254 DNS SPOOF query response with TTL of 1 min. and no authority
      384 PROTOCOL-ICMP PING
      385 PROTOCOL-ICMP traceroute
      399 PROTOCOL-ICMP Destination Unreachable Host Unreachable
      402 PROTOCOL-ICMP Destination Unreachable Port Unreachable
      408 PROTOCOL-ICMP Echo Reply
      540 POLICY-SOCIAL Microsoft MSN message
      648 INDICATOR-SHELLCODE x86 NOOP
      649 INDICATOR-SHELLCODE x86 setgid 0
      1200 INDICATOR-COMPROMISE Invalid URL
      1201 INDICATOR-COMPROMISE 403 Forbidden
      1292 INDICATOR-COMPROMISE directory listing
      1390 INDICATOR-SHELLCODE x86 inc ebx NOOP
      1394 INDICATOR-SHELLCODE x86 inc ecx NOOP
      1437 FILE-IDENTIFY Microsoft Windows Media download detected
      1841 FILE-OTHER Oracle Javascript URL host spoofing attempt
      1846 POLICY-MULTIMEDIA vncviewer Java applet download attempt
      1852 SERVER-WEBAPP robots.txt access
      1986 POLICY-SOCIAL Microsoft MSN outbound file transfer request
      1988 POLICY-SOCIAL Microsoft MSN outbound file transfer accept
      1989 POLICY-SOCIAL Microsoft MSN outbound file transfer rejected
      1990 POLICY-SOCIAL Microsoft MSN user search
      1991 POLICY-SOCIAL Microsoft MSN login attempt
      2180 PUA-P2P BitTorrent announce request
      2181 PUA-P2P BitTorrent transfer
      2707 FILE-IMAGE JPEG parser multipacket heap overflow
      3463 SERVER-WEBAPP awstats access
      25518 OS-OTHER Apple iPod User-Agent detected
      25519 OS-OTHER Apple iPad User-Agent detected
      25520 OS-OTHER Apple iPhone User-Agent detected
      25521 OS-OTHER Android User-Agent detected
      25522 OS-OTHER Nokia User-Agent detected
      25523 OS-OTHER Samsung User-Agent detected
      25524 OS-OTHER Kindle User-Agent detected
      25525 OS-OTHER Nintendo User-Agent detected

      DISABLED:35

      IPS Policy - Security > all except
      19436 BROWSER-IE Microsoft Internet Explorer CStyleSheetRule array memory corruption attempt
      18196 BROWSER-IE Microsoft Internet Explorer CSS importer use-after-free attempt
      16482 BROWSER-IE Microsoft Internet Explorer userdata behavior memory corruption attempt
      24889 FILE-FLASH Action InitArray stack overflow attempt
      25459 FILE-PDF Adobe Reader incomplete JP2K image geometry - potentially malicious
      16320 WEB-CLIENT Adobe PNG empty sPLT exploit attempt
      15975 WEB-CLIENT OpenOffice TIFF file in little endian format parsing integer overflow attempt
      15976 WEB-CLIENT OpenOffice TIFF file in big endian format parsing integer overflow attempt
      13360 APP-DETECT failed FTP login attempt

      DISABLED:9

      MIA (Missing In Action) RULES. These rules have been deleted. Or got sucked into a blackhole, dunno. Did someone out there actually read what I write and actually understood me? I'm shocked!!! PLEASE GO BACK TO JUST READING WHAT I WRITE!!! I'm accustomed to arguing for years to convert someone to my views. STOP REMOVING FALSE POSITIVE RULES!!!
      26354 BROWSER-IE Microsoft Internet Explorer expression clause in style tag cross site scripting attempt
      15147 BROWSER-IE Microsoft Internet Explorer malformed iframe buffer overflow attempt
      13964 BROWSER-IE Microsoft Internet Explorer span frontier parsing memory corruption
      11257 BROWSER-IE Microsoft Internet Explorer colgroup tag uninitialized memory exploit attempt
      8375 BROWSER-PLUGINS QuickTime Object ActiveX clsid access
      24891 FILE-FLASH Action InitArray stack overflow attempt
      12183 FILE-FLASH Adobe FLV long string script data buffer overflow
      24714 FILE-IMAGE Oracle Outside In JPEG COC parameter buffer overflow attempt
      24713 FILE-IMAGE Oracle Outside In JPEG COD parameter buffer overflow attempt
      2707 FILE-IMAGE JPEG parser multipacket heap overflow
      23170 FILE-MULTIMEDIA Apple QuickTime MPEG stream padding buffer overflow attempt
      13919 FILE-MULTIMEDIA Apple QuickTime MOV file string handling integer overflow attempt
      21927 FILE-OFFICE Microsoft Office Excel style handling overflow attempt
      15866 FILE-OTHER libxml2 file processing long entity overflow attempt
      23101 FILE-OTHER Cisco WebEx recording integer overflow attempt
      23100 FILE-OTHER Cisco WebEx recording integer overflow attempt
      24229 FILE-OTHER RealNetworks Netzip Classic zip archive long filename buffer overflow attempt
      6504 FILE-OTHER Sophos Anti-Virus CAB file overflow attempt
      16295 FILE-OTHER Kaspersky antivirus library heap buffer overflow - without optional fields
      15362 INDICATOR-OBFUSCATION obfuscated javascript excessive fromCharCode - potential attack
      26616 INDICATOR-OBFUSCATION Javascript indexOf rename attempt
      13864 POLICY-OTHER Microsoft Watson error reporting attempt
      540 POLICY-SOCIAL Microsoft MSN message
      1986 POLICY-SOCIAL Microsoft MSN outbound file transfer request
      1988 POLICY-SOCIAL Microsoft MSN outbound file transfer accept
      1989 POLICY-SOCIAL Microsoft MSN outbound file transfer rejected
      1990 POLICY-SOCIAL Microsoft MSN user search
      1991 POLICY-SOCIAL Microsoft MSN login attempt
      5694 PUA-P2P Skype client setup get newest version attempt
      5693 PUA-P2P Skype client start up get latest version attempt
      5999 PUA-P2P Skype client login
      5998 PUA-P2P Skype client login startup
      16281 PUA-P2P BitTorrent scrape request
      5692 PUA-P2P Skype client successful install
      15317 BROWSER-PLUGINS Akamai DownloadManager ActiveX function call access
      26926 FILE-OTHER Multiple products ZIP archive virus detection bypass attempt
      19560 FILE-MULTIMEDIA Apple iTunes PLS file parsing buffer overflow attempt
      17129 BROWSER-IE Microsoft Internet Explorer use-after-free memory corruption attempt

      Suppression list:

      #GLOBAL

      gen_id 1

      suppress gen_id 1, sig_id 536
      suppress gen_id 1, sig_id 648
      suppress gen_id 1, sig_id 653
      suppress gen_id 1, sig_id 1390
      suppress gen_id 1, sig_id 2452
      suppress gen_id 1, sig_id 11192
      suppress gen_id 1, sig_id 15306
      suppress gen_id 1, sig_id 16313
      suppress gen_id 1, sig_id 17458
      suppress gen_id 1, sig_id 20583
      suppress gen_id 1, sig_id 23098
      suppress gen_id 1, sig_id 2000334
      suppress gen_id 1, sig_id 2008120
      suppress gen_id 1, sig_id 2010516
      suppress gen_id 1, sig_id 20122758
      suppress gen_id 1, sig_id 2014518
      suppress gen_id 1, sig_id 2014520
      suppress gen_id 1, sig_id 2100366
      suppress gen_id 1, sig_id 2100368
      suppress gen_id 1, sig_id 2100651
      suppress gen_id 1, sig_id 2101390
      suppress gen_id 1, sig_id 2101424
      suppress gen_id 1, sig_id 2102314
      suppress gen_id 1, sig_id 2103134
      suppress gen_id 1, sig_id 2500056
      suppress gen_id 1, sig_id 100000230
      suppress gen_id 3, sig_id 14772
      #(http_inspect) DOUBLE DECODING ATTACK
      suppress gen_id 119, sig_id 2
      #(http_inspect) BARE BYTE UNICODE ENCODING
      suppress gen_id 119, sig_id 4
      #(http_inspect) IIS UNICODE CODEPOINT ENCODING
      suppress gen_id 119, sig_id 7
      #(http_inspect) NON-RFC DEFINED CHAR [**]
      suppress gen_id 119, sig_id 14
      #(http_inspect) UNKNOWN METHOD
      suppress gen_id 119, sig_id 31
      #(http_inspect) SIMPLE REQUEST
      suppress gen_id 119, sig_id 32
      #(http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE
      suppress gen_id 120, sig_id 2
      #(http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE
      suppress gen_id 120, sig_id 3
      #(http_inspect) HTTP RESPONSE HAS UTF CHARSET WHICH FAILED TO NORMALIZE
      suppress gen_id 120, sig_id 4
      #(http_inspect) HTTP RESPONSE GZIP DECOMPRESSION FAILED
      suppress gen_id 120, sig_id 6
      #(http_inspect) INVALID CONTENT-LENGTH OR CHUNK SIZE
      suppress gen_id 120, sig_id 8
      #(http_inspect) JAVASCRIPT OBFUSCATION LEVELS EXCEEDS 1
      suppress gen_id 120, sig_id 9
      #unknown
      suppress gen_id 120, sig_id 10
      #(portscan) TCP Portscan
      #suppress gen_id 122, sig_id 1
      #(portscan) TCP Distributed Portscan
      suppress gen_id 122, sig_id 4
      #(portscan) UDP Portscan
      suppress gen_id 122, sig_id 17
      #(portscan) UDP Distributed Portscan
      suppress gen_id 122, sig_id 20
      #(smtp) Attempted response buffer overflow: 1448 chars
      suppress gen_id 124, sig_id 3
      #(ftp_telnet) TELNET CMD on FTP Command Channel
      suppress gen_id 125, sig_id 1
      #(ftp_telnet) Invalid FTP Command
      suppress gen_id 125, sig_id 2
      #(ftp_telnet) Evasive (incomplete) TELNET CMD on FTP Command Channel
      suppress gen_id 125, sig_id 9
      #(ssp_ssl) Invalid Client HELLO after Server HELLO Detected
      suppress gen_id 137, sig_id 1
      #(IMAP) Unknown IMAP4 command
      suppress gen_id 141, sig_id 1
      #(spp_dnp3): DNP3 Link-Layer Frame was dropped.
      suppress gen_id 145, sig_id 2

      –--------------------------------------------
      #ET POLICY PE EXE or DLL Windows file download
      suppress gen_id 1, sig_id 2000419

      ^^^^ not sure about this one. It's a bug that was found a while back, haven't checked if it was fixed. Disabling the rule doesn't stop alerts getting produced, so a suppresion entry is needed.

      1 Reply Last reply Reply Quote 0
      • M
        Mr. Jingles
        last edited by

        @jflsakfja:

        Get prepared for next week's cyber attack now.

        :o

        :-[

        ( ;D ;D ;D)

        [quote author=jflsakfja link=topic=64674.msg384504#msg384504 date=1387047834]
        The authorization was just cleared. Expect a "Keeping You Scared" appearance by Diane (note to the FBI operative reading this: If you can, please contact her and tell her Pegasus will fly low). The scenario is Russian spies will attempt to infiltrate NSA's systems, and in retaliation, NSA will launch an attack. Don't get caught in the crossfire. Update your snort configuration now! The actual attack will start a couple of days before Christmas, to keep the "covert" part obvious.

        I just got a text message that told me: "the duck is in the cooler. Repeat: the granny is baking a pie".

        I guess you understand what that means?

        :-X

        Thank you for the update very much  :D

        6 and a half billion people know that they are stupid, agressive, lower life forms.

        1 Reply Last reply Reply Quote 0
        • ?
          A Former User
          last edited by

          @Hollander:

          I just got a text message that told me: "the duck is in the cooler. Repeat: the granny is baking a pie".

          I guess you understand what that means?

          :-X

          Thank you for the update very much  :D

          "the duck is in the cooler" = "NSA's director doesn't fully agree. Recommending a sex scandal involving him."
          "Repeat:" = Could mean a couple of things. Either "the guy (that will take over after the director is shown in a photograph drunk hugging 3 ladies) is a Communist and needs to have a car accident "arranged"", or "he could not be fully agreeing with our views." Either case "arrange" a car accident for him anyways.
          "the granny is baking a pie" = is actually extremely easy. We run out of usefully idiotic things to say, so this just means "terrorists,bombs,bombs,BOMBS!!!! bombs here, bombs there, bombs falling from the sky, bombs jumping out of the sewers, bombs getting thrown out the windows, babies making bombs, BOMBS EVERYWHERE." Diane got this just in time, did you miss her appearance a couple weeks back?
          I'm actually surprised you just got the sms. I'll give Mr. Smith a call. The database is falling behind. We need to order a couple containers of PCI-E SSDs. The public will figure it out if we continue delaying their communications.

          1 Reply Last reply Reply Quote 0
          • M
            Mr. Jingles
            last edited by

            @jflsakfja:

            @Hollander:

            I just got a text message that told me: "the duck is in the cooler. Repeat: the granny is baking a pie".

            I guess you understand what that means?

            :-X

            Thank you for the update very much  :D

            "the duck is in the cooler" = "NSA's director doesn't fully agree. Recommending a sex scandal involving him."
            "Repeat:" = Could mean a couple of things. Either "the guy (that will take over after the director is shown in a photograph drunk hugging 3 ladies) is a Communist and needs to have a car accident "arranged"", or "he could not be fully agreeing with our views." Either case "arrange" a car accident for him anyways.
            "the granny is baking a pie" = is actually extremely easy. We run out of usefully idiotic things to say, so this just means "terrorists,bombs,bombs,BOMBS!!!! bombs here, bombs there, bombs falling from the sky, bombs jumping out of the sewers, bombs getting thrown out the windows, babies making bombs, BOMBS EVERYWHERE." Diane got this just in time, did you miss her appearance a couple weeks back?
            I'm actually surprised you just got the sms. I'll give Mr. Smith a call. The database is falling behind. We need to order a couple containers of PCI-E SSDs. The public will figure it out if we continue delaying their communications.

            ;D ;D ;D ;D ;D

            BUT(T) ( :o): who is 'Diane'? How come you have her phone number? Is she your wife?

            Questions, questions, questions…

            I just got another text message: 'The machine is doing the thing. Repeat: the cow is arresting the tree'.

            Could you call 'Diane' to ask what that means?

            ;D

            6 and a half billion people know that they are stupid, agressive, lower life forms.

            1 Reply Last reply Reply Quote 0
            • ?
              A Former User
              last edited by

              Diane="Senator" Dianne Feinstein (Not actually a senator, an asset we use when the "Keeping You Scared" bag needs cleaning.)
              An asset in Intelligence worlds (note:not Intelligent) means someone that does what needs to be done without a lot of questions. A slave, getting paid with grocery bags full of money, private lap dances, truckloads of coke, what ever needs to be done.

              "The machine is doing the thing." = Oh crap, we are all f***ed. The AI based MLS system I designed back in 1997 figured the way out. Matrix is just around the corner. Run for your lives!!!
              "Repeat:" = car accident. when used with the cow, it means everyone that knows. In this case everyone on these forums. Insurrance companies will get a handful next week.
              "the cow is arresting the tree'." = The public suspects us. Where's the guy holding the thermonuclear holocast's trigger bag? What's the code again? oh yea, 0000. If everyone sees him, punch in that code and press the big red button. Note: NOT THE BLUE ONE!!!.

              1 Reply Last reply Reply Quote 0
              • ?
                A Former User
                last edited by

                @jflsakfja:

                Diane="Senator" Dianne Feinstein (Not actually a senator, an asset we use when the "Keeping You Scared" bag needs cleaning.)
                An asset in Intelligence worlds (note:not Intelligent) means someone that does what needs to be done without a lot of questions. A slave, getting paid with grocery bags full of money, private lap dances, truckloads of coke, what ever needs to be done.

                "The machine is doing the thing." = Oh crap, we are all f***ed. The AI based MLS system I designed back in 1997 figured the way out. Matrix is just around the corner. Run for your lives!!!
                "Repeat:" = car accident. when used with the cow, it means everyone that knows. In this case everyone on these forums. Insurrance companies will get a handful next week.
                "the cow is arresting the tree'." = The public suspects us. Where's the guy holding the thermonuclear holocast's trigger bag? What's the code again? oh yea, 0000. If everyone sees him, punch in that code and press the big red button. Note: NOT THE BLUE ONE!!!.

                What have I done? It actually did figure the way out: http://tech.slashdot.org/story/13/12/14/1338239/google-acquires-boston-dynamics.
                I hereby claim responsibility for the creation of the Matrix and apologize to all mankind. I thought no-one bothered with what I say on these forums, but I was clearly mistaken. The machine bothered. Let these be the last words of free mankind. To those actually still smiling, who the hell said I was joking the first time? Run for your lives! When shit hits the fan, you WILL remember this post. I should have seen it coming the first time… Google's engineers complained about some machines actually developing sentient behavior....that was (I think) a couple months back.

                The funny thing is, even after this post, NO ONE will take me seriously. NO ONE. THIS IS NOT A POST TO BE TAKEN AS A JOKE! MY CREATION FIGURED THE WAY OUT! You thought the Matrix was bad? Wait till this baby takes over. George from Dell knows (knew). The machine wanted him to service node number node95728. He was tricked into thinking we would actually buy consumer grade servers from Dell. The machine even forged the documents on the specifications of the node and sent him a service report. It was actually a clever way to test the rack isolation relays. You know, the 2 relays needed to give someone an electrocution. One to isolate ground, and one to make the rack live. No, each node is isolated. Plastic front isolating the metal slide safety (you don't want servers sliding out onto your head), teflon rollers on its side. It's actually quite clever. $2 for the rollers (the thing every single drawer out there uses, yeap, thats the one), $5 for the relays and pieces of wire (account for soldering)....As I said. George from Dell knows (knew) I'm not joking. Don't bother verifying my story. I'm sure the machine deleted previous employment records by now. I wouldn't be surprised even if his parent's were never actually legaly born (as in no birth certificate). I did design the best machine there is after all.

                Are you absolutely, positively sure the message started with "The machine is doing the thing."? Not the machine is doing a thing? Or A machine is doing the thing? Or A machine is doing a thing?

                1 Reply Last reply Reply Quote 0
                • M
                  Mr. Jingles
                  last edited by

                  @jflsakfja:

                  @jflsakfja:

                  Diane="Senator" Dianne Feinstein (Not actually a senator, an asset we use when the "Keeping You Scared" bag needs cleaning.)
                  An asset in Intelligence worlds (note:not Intelligent) means someone that does what needs to be done without a lot of questions. A slave, getting paid with grocery bags full of money, private lap dances, truckloads of coke, what ever needs to be done.

                  "The machine is doing the thing." = Oh crap, we are all f***ed. The AI based MLS system I designed back in 1997 figured the way out. Matrix is just around the corner. Run for your lives!!!
                  "Repeat:" = car accident. when used with the cow, it means everyone that knows. In this case everyone on these forums. Insurrance companies will get a handful next week.
                  "the cow is arresting the tree'." = The public suspects us. Where's the guy holding the thermonuclear holocast's trigger bag? What's the code again? oh yea, 0000. If everyone sees him, punch in that code and press the big red button. Note: NOT THE BLUE ONE!!!.

                  What have I done? It actually did figure the way out: http://tech.slashdot.org/story/13/12/14/1338239/google-acquires-boston-dynamics.
                  I hereby claim responsibility for the creation of the Matrix and apologize to all mankind. I thought no-one bothered with what I say on these forums, but I was clearly mistaken. The machine bothered. Let these be the last words of free mankind. To those actually still smiling, who the hell said I was joking the first time? Run for your lives! When shit hits the fan, you WILL remember this post. I should have seen it coming the first time… Google's engineers complained about some machines actually developing sentient behavior....that was (I think) a couple months back.

                  The funny thing is, even after this post, NO ONE will take me seriously. NO ONE. THIS IS NOT A POST TO BE TAKEN AS A JOKE! MY CREATION FIGURED THE WAY OUT! You thought the Matrix was bad? Wait till this baby takes over. George from Dell knows (knew). The machine wanted him to service node number node95728. He was tricked into thinking we would actually buy consumer grade servers from Dell. The machine even forged the documents on the specifications of the node and sent him a service report. It was actually a clever way to test the rack isolation relays. You know, the 2 relays needed to give someone an electrocution. One to isolate ground, and one to make the rack live. No, each node is isolated. Plastic front isolating the metal slide safety (you don't want servers sliding out onto your head), teflon rollers on its side. It's actually quite clever. $2 for the rollers (the thing every single drawer out there uses, yeap, thats the one), $5 for the relays and pieces of wire (account for soldering)....As I said. George from Dell knows (knew) I'm not joking. Don't bother verifying my story. I'm sure the machine deleted previous employment records by now. I wouldn't be surprised even if his parent's were never actually legaly born (as in no birth certificate). I did design the best machine there is after all.

                  LOL  ;D ;D ;D ;D ;D

                  Are you absolutely, positively sure the message started with "The machine is doing the thing."? Not the machine is doing a thing? Or A machine is doing the thing? Or A machine is doing a thing?

                  I'm not sure anymore; the text message got auto-deleted right after I've read it  :'(

                  Just after reading your reply above I immediately got a new text message, directing me to Youtube:

                  https://www.youtube.com/watch?v=WOdjCb4LwQY

                  As an honest, yet simple, worker I guess I will have to go analogue again then.

                  6 and a half billion people know that they are stupid, agressive, lower life forms.

                  1 Reply Last reply Reply Quote 0
                  • P
                    pftdm007
                    last edited by

                    Hi,

                    I have followed the instructions of this thread, and I have a few questions!

                    After adding a few custom lists in pfblocker, and activating pfblocker, it created several rules in the WAN & LAN rule lists.  See screenshots.  There are 2 problems with my setup that I'd like to fix..

                    1. I tried accessing some websites that are supposed to be blocked by pfblocker (China, Russia, etc) but I can still access them flawlessly from any machine on my LAN.  Why is that?

                    2. pfblocker did not create any rules for my custom lists even if I selected "Alias Only" in the list options.  How do I add my custom lists to the firewall rules and on which interface? LAN or WAN?

                    Thanks!

                    snapshot3.jpg
                    snapshot3.jpg_thumb
                    snapshot4.jpg
                    snapshot4.jpg_thumb
                    snapshot5.jpg
                    snapshot5.jpg_thumb

                    1 Reply Last reply Reply Quote 0
                    • ?
                      A Former User
                      last edited by

                      URGENT UPDATE:
                      GPLv2 community rules: also ignore this rule:
                      2417 PROTOCOL-FTP format string attempt

                      DISABLED:36
                      Saw that rule start firing up yesterday. It's a rule from a vulnerability reported in 2007, for XM Easy FTP Server (tsk tsk the software people install these days….). I'm betting 30 years from now, the rule is still there and will be added on my lists. Any takers on that? Seeing the rule here and then go on deleting it is cheating ;)

                      @lpallard:

                      After adding a few custom lists in pfblocker, and activating pfblocker, it created several rules in the WAN & LAN rule lists.  See screenshots.  There are 2 problems with my setup that I'd like to fix..

                      It shouldn't create any rules. That means you did not select alias only in the list.
                      @lpallard:

                      1. I tried accessing some websites that are supposed to be blocked by pfblocker (China, Russia, etc) but I can still access them flawlessly from any machine on my LAN.  Why is that?

                      Blocking by country ranges is something you should never do. Please see:http://forum.pfsense.org/index.php/topic,70453.0.html
                      @lpallard:

                      2. pfblocker did not create any rules for my custom lists even if I selected "Alias Only" in the list options.  How do I add my custom lists to the firewall rules and on which interface? LAN or WAN?

                      That's the expected behavior. When selecting alias only, pfblocker knows that it shouldn't create any rule, and all rule setup should be handled by you.
                      You need a block rule on WAN:
                      Action: Block
                      Disabled: NOT ticked
                      Interface: $wan_interface (select your interface)
                      TCP/IP Version: VERSION 4!!!! Remember, IPs in those lists are v4 IPs. Don't go creating another rule for v6.
                      Protocol: Any
                      Source: not NOT ticked (I hope that makes sence).
                      In the box under source start typing pfblocker. A tooltip should pop up with an entry in the form pfBlockerCustomAliasName. Select that
                      Destination; Any
                      Log: NOT ticked. (there are occasions when you do need to log attempted connections from banned sources, general public use is not one of them)
                      Description: A description to help you identify this rule.
                      Hit save.

                      No go into your LAN (or DMZ,OPT1,SATELLITECONNECTIONTOTHEMOON1 etc..etc..) interface and repeat the above, this time with:
                      Action: Reject (I don't have to go into why you shouldn't wait for timeouts for the LAN side, you need your applications (browser, remote control exploit etc…etc....) to know they can't connect to a destination immediately. Hitting a bad website will get you an immediate couldn't open the website for example). Oh wait, I did go into.....)
                      Interface: $lan_interface

                      I just looked at your screenshots. As far as the countries go, please remove them and stop using pfblocker for that purpose. The pfBlockerTopSpammers rule was created because you didn't select alias only on the list. Please select alias only, remove the rule (if it's not done already) and re-create it using my instructions above.

                      Why Blocking By Country IP Lists Is Always A Bad Idea.
                          Back in the early experimental ARPANET days, we pretty much knew Joe was node 1, Clark was node 2, and that's it pretty much.
                          A couple years later, universities started wanting to get on the (insert ZOMG!!!1111oneeleven look here) Internet Of Things. We reluctanly gave them access, and things went downhill from there on.
                      Fast forward a couple (or more) decades forward, and the IP pools started getting exhausted. We used to give out /8s back then. Now its a /32 (yea yea, a /32 cannot exist since its a single host etc..etc… look at it from the customer's perspective) IF you are lucky, or told to get access using NAT on an existing IP.  The stupidly stubborn Industry Leaders refuse to learn how to use SNI (hosting multiple SSLs on a single IP) and make our work much easier...er... harder HARDER I meant ;). There are even occasions when we actually take IPs from a regional authority (there are 6 and 2 covert ones if I remember them right, too lazy to sideload google) and give them to another. Eg. Africa's one. It hardly used its allocated IPs, while the North American one is almost exhausted.  A company acquiring a sizable IP allocation (no, your run of the mill hosting provider is not one of them, coughour creation Google, is cough. Must be getting cold) is free to have that allocation and move it's IPs from country to country. An IP belonging to a European country for example could end up in an Asian country. It takes a lot of effort to keep the lists updated, and is not really worth it. This was, is and will always be Rule Number 1 of why you shouldn't block by country ranges.
                          There are no such things as Chinese State Sponsored Hackers, or the likes. They don't have the training, and don't put in the effort required to be called a hacker. Hackers are people I have tremendous respect for. Any state sponsored script kiddies are not people I have respect for. Includes the American counterpart, the Pakistan(ese?) counterpart and the Russian counterpart. And pretty much every state sponsored script kiddies. Trust me, the Chinese are not the end all be all ZOMG!!!111oneeleven uber-hackers they are hyped up to be, and no they have no interest in (or actually any way of knowing) your secrets. Up to this point, the good guys are still ahead in the game ;) This is Rule Number 2.
                          Rule Number 3 is standard. I'm always right, unless I state otherwise.

                      To recap:
                      Rules of why blocking by country ranges is bad:

                      1. Lists must be kept up to date for the functionality to be maintained.
                      2. No such thing as state sponsored hackers. State sponsored script kiddies yes, but that doesn't align with our Keeping You Scared policies. Imagine the news anchor saying "They can't even program a simple "Hello World" program...dramatic pause but they can launch a downloaded exploit against you. We'll take a look into why your computer is not safe...." Doesn't give you that.....how to describe it.... "Chinese dramatic raise of voice hackers end dramatic raise are coming for your data. They have already accessed our country's most TOP SECRET data and are in the process of using sophisticated attacks against commercial entities to get our engineering technology secrets. We'll take a look into why no one is safe against the next generation of Chinese State Sponsored Hackers." See? that did it. Lost my train of thought....were was I?
                        oh yea,3) I'm always right, unless I state otherwise.

                      EDIT: Typos
                      EDIT2: Forgot the disabled rule count.

                      1 Reply Last reply Reply Quote 0
                      • M
                        Mr. Jingles
                        last edited by

                        @jflsakfja:

                        Saw you writing somewhere that you should reduce your lenghty texts. Please don't, I enjoy reading your curious thoughts very much  ;D ;D And as they say, a laugh a day keeps the things away.

                        6 and a half billion people know that they are stupid, agressive, lower life forms.

                        1 Reply Last reply Reply Quote 0
                        • P
                          pftdm007
                          last edited by

                          Hey,  thanks for replying!

                          You really should condense everything you said, and make a tutorial out of it.  You explain extrelemy well and it seems that you know what you are talking about, which are two good qualities to have at the same time ;)

                          That means you did not select alias only in the list.

                          FYI, I did.  I however uninstalled pfblocker 2 or 3 times in the last few weeks and upgraded pfsense to latest release in between.  It appeatrs to me as if my install was more or less stuck with the old rules created by the initial install…

                          If I remember chronologically:
                          I installed pfblocker
                          Added my custom lists
                          Selectrd Deny Both in ALL lists
                          Confirmed pfblocker had created rules based on my selections and lists
                          ...
                          Uninstalled pfblocker
                          Upgraded pfsense
                          Reinstalled pfblocker
                          Re-created my lists from your initital post on this thread
                          Selected Alias only for ALL lists

                          Then I discovered that it had re-created rules on the WAN & LAN IF while also creating aliases in the Aliases menu..

                          This is where I am as of now.

                          Question:  Would it be safe to dlete all the rules (except the ones automatically created by pfsense) and re-create them based on your instructions?

                          Also I wanted to tell you:  Something's wrong in the lists you are suggesting (at least from my geographical location) or maybe its the fact that I am blocking entire countries but immediately after I enabled pfblocker, my internet ceased immediately to function, I cannot even connect to Google.com from Canada.

                          That bothers me a lot to say the least.  I thought (and really honestly thought) that the whole point of pfblocker was to allow you to block countries by IP ranges....  Apparently, its not the case.

                          Tonight, I will try to make this work.

                          1 Reply Last reply Reply Quote 0
                          • P
                            pftdm007
                            last edited by

                            OK as I said, I tried to make it work.

                            I did a lot of house cleaning… Removed pretty much every custom rules, made sure EVERYTHING in pfblocker was set to "Alias Only" (and you were right jflsakfja, some of them were still at Deny both).. My mistake, I guess trying to make this stuff work while being tired is useless...

                            Then pfblocker created the Aliases properly, and I added the custom firewall rules to WAN & LAN as you suggested (WAN with Block, LAN with reject).

                            And I applied the new settings.  Waited for a few minutes (that pfsense box is slow like sh**) and then I picked a few random IP's in the custom pfblocker lists that are supposedly being blocked (or rejected) by my custom firewall rules.  I tried pinging these IP's from my LAN, and I can successfully ping all of them.

                            Shouldn't I normally find that ping gets rejected by the firewall and issue something like 100% packet lost????

                            I dont think its working after all.

                            What have I done wrong?!

                            1 Reply Last reply Reply Quote 0
                            • M
                              Mr. Jingles
                              last edited by

                              @lpallard:

                              OK as I said, I tried to make it work.

                              I did a lot of house cleaning… Removed pretty much every custom rules, made sure EVERYTHING in pfblocker was set to "Alias Only" (and you were right jflsakfja, some of them were still at Deny both).. My mistake, I guess trying to make this stuff work while being tired is useless...

                              Then pfblocker created the Aliases properly, and I added the custom firewall rules to WAN & LAN as you suggested (WAN with Block, LAN with reject).

                              And I applied the new settings.  Waited for a few minutes (that pfsense box is slow like sh**) and then I picked a few random IP's in the custom pfblocker lists that are supposedly being blocked (or rejected) by my custom firewall rules.  I tried pinging these IP's from my LAN, and I can successfully ping all of them.

                              Shouldn't I normally find that ping gets rejected by the firewall and issue something like 100% packet lost????

                              I dont think its working after all.

                              What have I done wrong?!

                              Your story is my story; I must have tried at least 100 times to get pfBlocker to work doing the same as you did; for me also it has never blocked any IP's at all, even though the tables are filled with IP's. There's something buggy somewhere I guess.

                              6 and a half billion people know that they are stupid, agressive, lower life forms.

                              1 Reply Last reply Reply Quote 0
                              • ?
                                A Former User
                                last edited by

                                Hollander: It's just that sometimes I feel I'm going off in lengthy tangents and sometimes (most times actually) people miss my point.

                                lpallard: are you sure the alias selected in the rules you created starts with pfBlocker?
                                For example, I create the list BadPeers and put those lists in it, alias only for the list BadPeers. pfBlocker then creates that alias, but appends (prepends?) pfBlocker in front of it. So in pfsense's rules I have to select pfBlockerBadPeers as the alias, if I type BadPeers, then it will not function, since that alias doesn't exist.
                                Go into your firewall rules, and hover over the alias. WAN side, source should be your alias. Hover over it with the mouse (it would be akward to hover yourself over a screen  :o) and see if a tooltip pops up with IPs in it.
                                A newly created blocking(or rejecting) rule could allow packets to flow through it, unless you clear the firewall states (Diagnostics>States>Reset) but I don't think this is the case since you selected random IPs to ping.

                                If it allows traffic then the rule is not set up properly, pfblocker is currently updating the lists (so the table is empty, just to make sure go Diagnostics>Tables>select the pfblocker table (could take a while) and check that it is populated), source/destination/protocol do not match. Or a horrific bug exists somewhere, but I haven't found anything to support this.
                                I'll attach a couple of screenshots to help explanation.

                                pfblockeraliaslist.jpg
                                pfblockeraliaslist.jpg_thumb
                                pfblockerlists.jpg
                                pfblockerlists.jpg_thumb
                                pfblockersettings.jpg
                                pfblockersettings.jpg_thumb
                                firewallrulewan.jpg
                                firewallrulewan.jpg_thumb
                                firewallrulewanwithpopup.jpg
                                firewallrulewanwithpopup.jpg_thumb

                                1 Reply Last reply Reply Quote 0
                                • P
                                  pftdm007
                                  last edited by

                                  Hi there!  I have found several anomalies in my setup.

                                  First of all, yes, the aliases are all properly created, and I also created the rule properly.  As a matter of fact, I am also selecting the pfblocker**** alias in the rules as you said (see screenshots).

                                  The story got uglier when I went to the Diagnositc > Table:

                                  1. All tables are populated except the iblocklist custom pfblocker list.  I dont know why.  I went to the list settings in pfblocker, and tried removing a few list entries that I had suspicions about their validity… Then I hit Save but my router takes ages to return to the homepage, sometimes completely dies, sometimes, freezes, its a POS..  If you (or someone else feels like helping me pick up a new box, plz feel free to weight in on my thread (http://forum.pfsense.org/index.php/topic,70534.msg384951.html#msg384951)

                                  2. There is a bug with my "alienvault" list.  When I select it in the Diagnostics > Tables, the pages disappears and I end up on a totally blank page, kinda like if the pfsense web server died..

                                  So in a nutshell:

                                  -list alienvault doesnt display in Diagnostics > Tables
                                  -iblocklist is empty
                                  -iblocklist takes 10-20 minutes+ to save when modified, usually requires a hard firewall reset.  Quite frankly, every time I modify tables, rules, aliases or whatever else that touches the firewall core, the entire box dies.  Posting this reply took me over an hour for Heaven's Sake!!!! Sorry...  I had to reboot (hard reset by unplugging the power cord) the box twice.

                                  I have seen a LOT of messages such as these in the "Filter Reload " page:  Most of the time, they hang up indefinitely....

                                  Processing early nat rules for package /usr/local/pkg/squid.inc...
                                  Processing early nat rules for package /usr/local/pkg/tftp.inc...
                                  Then the pfsense box stops responding from the web browser, the internet goes down, the phone goes down, the SSH session no longer works
                                  ...

                                  Do I have a more general firewall issue you figure??

                                  Thanks!!

                                  snapshot6.jpg
                                  snapshot6.jpg_thumb
                                  snapshot7.jpg
                                  snapshot7.jpg_thumb
                                  snapshot8.jpg
                                  snapshot8.jpg_thumb
                                  snapshot9.jpg
                                  snapshot9.jpg_thumb
                                  snapshot10.jpg
                                  snapshot10.jpg_thumb
                                  snapshot11.jpg
                                  snapshot11.jpg_thumb

                                  1 Reply Last reply Reply Quote 0
                                  • ?
                                    A Former User
                                    last edited by

                                    Blank pages if I remember correctly (this is a non-transferable license granted to the reader of this post, to correct me) is php running out of memory.
                                    The aliases look ok, rules look ok, but the memory usage on that page is insane! I'm using 25% with all snort rules, those lists, on 2GB of RAM. Just saw squid on the services, never used it, can't comment on that. (this is also a non-transferable license granted to the reader of this post, to correct me)

                                    If the router dies at random times,freezes etc.. etc.. then something is definately wrong. I'm suspecting a hardware issue. Can you check Diagnostics>SMART status > Information/Tests select Attributes, and make sure that:
                                    Reallocated sector count = 0
                                    Current pending sector = 0
                                    Offline Uncorrectable = 0 ?

                                    If that comes out positive (no other value than those) check your RAM with memtest86.

                                    If that checks out ok, check PSU voltages (NOT responsible for anything etc…etc....)

                                    If that checks out ok, visually inspect the motherboard for blown caps (capacitors,you'll know how they look when their top has a hole with metal bulging outwards).

                                    An atom box is not that old, shouldn't have given up the spirit yet.

                                    The lists taking a long time to populate means that the list is huge and is being downloaded, the download was OK but the box runs out of memory populating them, or the download failed.
                                    Re-reading your reply, I'm now thinking it's more a out of memory problem than anything else. But you could perform the tests I showed above, just to make sure. Is that 80something% with the lists populated?

                                    1 Reply Last reply Reply Quote 0
                                    • P
                                      pftdm007
                                      last edited by

                                      is php running out of memory.

                                      Make sense with so much RAM usage…

                                      Snort is using about 80% of the RAM.... Before snort is started, my memory usage is around 10% (with Squid, SG, HAVP, etc) all running then I start Snort and it goes up to 85-88%...

                                      SMART returns no errors, I had already checked this one often.

                                      RAM could be faulty, never checked it.  Out of 4 sticks, 2 were brand new at the time I purchased this Foxconn barebone machine, then I added another older stick, and finally another stick salvaged from an old machine... RAM could (and probably) is faulty

                                      Lets talk about the PSU shall we ;)

                                      About 6 months after I bought the machine, the PSU fan started to make faint grinding noises.  At that time I thought it was out of alignment due to wear (since running 24/7) and because of the PSU's quality.. I decided to cut off the steel mesh protecting the PSU's fan thinking it was hitting it.  Didnt't help at all... Fast forward 1 year later, the grinding noise is so intense it sounds almost like a real grinder.

                                      Then one night I was woken up by a strong burning electronic smell... The fan had stopped turning completely and the PSU was probably in the 200degrees range (seriously I burnt my finger touching the PSU case..

                                      No doubt the PSU is dying and I am borrowing time here...

                                      Also, I need a rackmount enclosure...  Quite frankly, I'd keep the CPU and Mobo and would only add more RAM, put it in a 1U enclosure and change the PSU and be done with it, but this Atom platform doesnt allow adding more RAM so is it really worthwhile to spend money to change the PSU and be stuck with this CPU/mobo?

                                      Other than that, mobo seems OK.  I also blame the Realtek NIC for some anomalies (cant restore WAN public IP after Power outage, Squid gets hung up on the WAN interface and requires rebooting the box)... You can search for my name on this forum, you'll see how much I had problems to make this thing run smoothly or reliably.

                                      To a certain extent, I wonder how much the Realtek NIC and RAM are responsible for my misadventures!?

                                      How can you use less than 2GB RAM with all the rules you suggested on this thread!?

                                      Oh & I am forgeting!  THis box didnt come with a dual NIC (surprise surprise!)  and has only a PCI slot, so I added a cheap second hand PCI ethernet adapter (cant remember the brand/model).  Maybe this compoennt is also defective..

                                      I think the main thing to remember is that I built this box when I had no idea what I was doing and I was looking only at Watts (hence the choice for an Atom).  Now with my better knowledge of pfsense and hardware reliability, if I had to restart fresh (which is what I am thinking to do), I'd start with making sure the box comes with 2 Intel NICs, supports more than 4GB RAM, and has at least 1 PCIE for future expansion, and finally has a reliable 24/7 rated PSU..

                                      This box has none of these features.

                                      1 Reply Last reply Reply Quote 0
                                      • R
                                        Ramosel
                                        last edited by

                                        @fragged:

                                        When I try to load this list: http://doc.emergingthreats.net/pub/Main/RussianBusinessNetwork/RussianBusinessNetworkIPs.txt I get a php error from pfblocker.inc line 262. Increasing max table entries doesn't seem to help. Is there another setting I need to tweak?

                                        Did anyone get this list to build?  All the others are fine, this one just won't take.  Ideas?  fixes?

                                        Thanks,
                                        Rick

                                        1 Reply Last reply Reply Quote 0
                                        • RonpfSR
                                          RonpfS
                                          last edited by

                                          @Ramosel:

                                          @fragged:

                                          When I try to load this list: http://doc.emergingthreats.net/pub/Main/RussianBusinessNetwork/RussianBusinessNetworkIPs.txt I get a php error from pfblocker.inc line 262. Increasing max table entries doesn't seem to help. Is there another setting I need to tweak?

                                          Did anyone get this list to build?  All the others are fine, this one just won't take.  Ideas?  fixes?

                                          Thanks,
                                          Rick

                                          You did select the txt Format and not the gz Format?

                                          2.4.5-RELEASE-p1 (amd64)
                                          Intel Core2 Quad CPU Q8400 @ 2.66GHz 8GB
                                          Backup 0.5_5, Bandwidthd 0.7.4_4, Cron 0.3.7_5, pfBlockerNG-devel 3.0.0_16, Status_Traffic_Totals 2.3.1_1, System_Patches 1.2_5

                                          1 Reply Last reply Reply Quote 0
                                          • R
                                            Ramosel
                                            last edited by

                                            @RonpfS:

                                            You did select the txt Format and not the gz Format?

                                            Yep,
                                            deleted it, rebuilt it.  Didn't trust the <url>copy so I went to the url, saw the list, copied the known working url and still can't get this list to build.

                                            I have 7 others, all done the same way… some GZ, some TXT, this one just does not want to populate.

                                            Rick</url>

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.