Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    RFC (make up a number not in use) - Blueprint for setting up snort + pfblocker

    Scheduled Pinned Locked Moved pfSense Packages
    171 Posts 26 Posters 186.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • BBcan177B
      BBcan177 Moderator
      last edited by

      Emerging Threats is not updating that list anymore…

      I agree that these lists should all be HTTPS.

      "Experience is something you don't get until just after you need it."

      Website: http://pfBlockerNG.com
      Twitter: @BBcan177  #pfBlockerNG
      Reddit: https://www.reddit.com/r/pfBlockerNG/new/

      1 Reply Last reply Reply Quote 0
      • BBcan177B
        BBcan177 Moderator
        last edited by

        @bmeeks:

        There is nothing stopping an admin from using a cron job to go fetch a list and saving it in the /var/db/snort/iprep directory on the firewall.  That's where Snort will store all of its blacklist and whitelist files for the IP Rep preprocessor. Just remember the files must be text format with one IP address or CIDR network per line.  When you update a list, send the running Snort processes a SIGHUP to have them soft-reload their configuration and read the new lists.

        Bill

        Hi Bill,

        Is this what you mean about the "SIGHUP" command?

        pgrep snort            (To collect pid)
        kill -SIGHUP <pid>(repeat per interface)

        2.9.2 Reloading a configuration

        First modify your snort.conf (the file passed to the -c option on the command line).
        Then, to initiate a reload, send Snort a SIGHUP signal, e.g.

        $ kill -SIGHUP <snort pid="">Note:  If reload support is not enabled, Snort will restart (as it always has) upon receipt of a SIGHUP.

        Note:  An invalid configuration will still result in a fatal error, so you should test your new configuration before issuing a reload, e.g. $ snort -c snort.conf -T</snort></pid>

        "Experience is something you don't get until just after you need it."

        Website: http://pfBlockerNG.com
        Twitter: @BBcan177  #pfBlockerNG
        Reddit: https://www.reddit.com/r/pfBlockerNG/new/

        1 Reply Last reply Reply Quote 0
        • bmeeksB
          bmeeks
          last edited by

          @BBcan17:

          @bmeeks:

          There is nothing stopping an admin from using a cron job to go fetch a list and saving it in the /var/db/snort/iprep directory on the firewall.  That's where Snort will store all of its blacklist and whitelist files for the IP Rep preprocessor. Just remember the files must be text format with one IP address or CIDR network per line.  When you update a list, send the running Snort processes a SIGHUP to have them soft-reload their configuration and read the new lists.

          Bill

          Hi Bill,

          Is this what you mean about the "SIGHUP" command?

          pgrep snort            (To collect pid)
          kill -SIGHUP <pid>(repeat per interface)</pid>

          Yep, those shell commands will soft-restart Snort.  Each Snort instance has its own PID file and you can find them all in /var/run as files named with the interface physical name and a UUID.

          My suggestion, if you want to do this via a shell script, is to grab all the Snort PID files in /var/run (they all start with "snort_" in the name) and then iterate through the collection reading the PID from a file and then sending the SIGHUP.  This way you could be more specific and only restart certain interfaces.  If you want to restart them all (or you have only one in the first place), then a simple```
          pkill -HUP snort

          1 Reply Last reply Reply Quote 0
          • T
            t3rmin
            last edited by

            @bmeeks:

            @BBcan17:

            I believe that to enter the blocklists into the Snort IP Reputation processor, you will have to do this manually.

            Another option is to have a script that copies the pfBlocker text files into the appropriate snort folder after each pfBlocker update.

            I have been working on a script that downloads all of the Blacklists, along with .csv and web scrapping methods. It also removes duplication addresses from all of the lists.

            It reduces the list by approx 50%. This works in tandem with pfBlocker. I just map pfBlocker to use local files instead.

            For the first release of this feature, it is true that a manual update is required for now.  You can upload a file (or files) or edit an existing list.  There is nothing stopping an admin from using a cron job to go fetch a list and saving it in the /var/db/snort/iprep directory on the firewall.  That's where Snort will store all of its blacklist and whitelist files for the IP Rep preprocessor. Just remember the files must be text format with one IP address or CIDR network per line.  When you update a list, send the running Snort processes a SIGHUP to have them soft-reload their configuration and read the new lists.

            Bill

            I installed the new Snort package and it looks like you're pulling the compromised IPs .txt file from ETPro automatically during rules updates. Very cool!  8)

            1 Reply Last reply Reply Quote 0
            • Z
              zonian18
              last edited by

              @jflsakfja:

              emerging-web_client > all except
              2011347 ET WEB_CLIENT Possible String.FromCharCode Javascript Obfuscation Attempt
              2011507 ET WEB_CLIENT PDF With Embedded File
              2010518 ET WEB_CLIENT Possible HTTP 404 XSS Attempt (External Source)
              2012056 ET WEB_CLIENT Flash Player Flash6.ocx AllowScriptAccess Denial of Service
              2012075 ET WEB_CLIENT Possible Internet Explorer CSS Parser Remote Code Execution Attempt
              2012119 ET WEB_CLIENT Possible Hex Obfuscation Usage On Webpage
              2012205 ET WEB_CLIENT Possible Malicious String.fromCharCode with charCodeAt String
              2012266 ET WEB_CLIENT Hex Obfuscation of unescape % Encoding
              2012272 ET WEB_CLIENT Hex Obfuscation of eval % Encoding
              2012398 ET WEB_CLIENT Hex Obfuscation of replace Javascript Function % Encoding
              2010527 ET WEB_CLIENT Possible HTTP 503 XSS Attempt (External Source)
              2010931 ET WEB_CLIENT Possible IE iepeers.dll Use-after-free Code Execution Attempt
              2011764 ET WEB_CLIENT Possible Microsoft Internet Explorer mshtml.dll Timer ID Memory Pointer Information Disclosure Attempt

              DISABLED:13

              FYI the following being enabled kept the WAN interface from turning on.
              It will show enabled, but it will have that red X next to it and it refused to start.
              After troubleshooting, I narrowed it down to this very specific rule (which you need to add to your exception list)

              2011695 ET WEB_CLIENT Possible Microsoft Internet Explorer Dynamic Object Tag/URLMON Sniffing Cross Domain Information Disclosure Attempt Disclosure Attempt

              If I disable that, then the WAN interface is able to show the green play button (running) without issue.

              1 Reply Last reply Reply Quote 0
              • bmeeksB
                bmeeks
                last edited by

                @zonian18:

                @jflsakfja:

                emerging-web_client > all except
                2011347 ET WEB_CLIENT Possible String.FromCharCode Javascript Obfuscation Attempt
                2011507 ET WEB_CLIENT PDF With Embedded File
                2010518 ET WEB_CLIENT Possible HTTP 404 XSS Attempt (External Source)
                2012056 ET WEB_CLIENT Flash Player Flash6.ocx AllowScriptAccess Denial of Service
                2012075 ET WEB_CLIENT Possible Internet Explorer CSS Parser Remote Code Execution Attempt
                2012119 ET WEB_CLIENT Possible Hex Obfuscation Usage On Webpage
                2012205 ET WEB_CLIENT Possible Malicious String.fromCharCode with charCodeAt String
                2012266 ET WEB_CLIENT Hex Obfuscation of unescape % Encoding
                2012272 ET WEB_CLIENT Hex Obfuscation of eval % Encoding
                2012398 ET WEB_CLIENT Hex Obfuscation of replace Javascript Function % Encoding
                2010527 ET WEB_CLIENT Possible HTTP 503 XSS Attempt (External Source)
                2010931 ET WEB_CLIENT Possible IE iepeers.dll Use-after-free Code Execution Attempt
                2011764 ET WEB_CLIENT Possible Microsoft Internet Explorer mshtml.dll Timer ID Memory Pointer Information Disclosure Attempt

                DISABLED:13

                FYI the following being enabled kept the WAN interface from turning on.
                It will show enabled, but it will have that red X next to it and it refused to start.
                After troubleshooting, I narrowed it down to this very specific rule (which you need to add to your exception list)

                2011695 ET WEB_CLIENT Possible Microsoft Internet Explorer Dynamic Object Tag/URLMON Sniffing Cross Domain Information Disclosure Attempt Disclosure Attempt

                If I disable that, then the WAN interface is able to show the green play button (running) without issue.

                Yes, there is apparently an issue with that specific rule in the ET OPEN rule set package.  I think it throws an error when Snort's pcre (Perl-compatible regular expression) engine tries to decode the content part of the rule.  This is an error the ET OPEN rule authors will need to fix.  It is a not something directly related to the Snort package.

                Bill

                1 Reply Last reply Reply Quote 0
                • bmeeksB
                  bmeeks
                  last edited by

                  @t3rmin:

                  I installed the new Snort package and it looks like you're pulling the compromised IPs .txt file from ETPro automatically during rules updates. Very cool!  8)

                  Yes, since the file is there in the ET OPEN and ET PRO rules packages, the new code for the IP Reputation preprocessor grabs and stores it for use if enabled by the user.

                  Bill

                  1 Reply Last reply Reply Quote 0
                  • ?
                    A Former User
                    last edited by

                    IMPORTANT!!!

                    I'm in the middle of transitioning to a different blacklist management, but for now the pfblocker lists will remain here since I don't have the time to update that part of the guide. Thanks to BBcan17 for his help with the blacklists.

                    This update brings a couple dozen no longer needed rules, and I have now started adding an explanation of why I deleted a certain rule next to it, after <<<

                    Enjoy.

                    
                    In tab "Rules", under "Category" select:
                    (--- means blank table at time of writing)
                    
                    Auto-Flowbit rules > all except:
                    8478 FILE-IDENTIFY Microsoft Office Publisher file magic detected
                    23714 FILE-IDENTIFY Microsoft Office Publisher file magic detected
                    >>>DISABLED:2
                    
                    emerging-activex > all
                    >>>DISABLED:0
                    
                    emerging-attack_responses > all
                    >>>DISABLED:0
                    
                    DO NOT USE! > emerging-botcc > use pfblocker with: http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt <<< CARE!!! a lot of IRC servers are listed here. Try it first, an IRC network that you need to work, doesn't, then remove it.
                    
                    emerging-chat > all except:
                    2010784 ET CHAT Facebook Chat (send message)
                    2010785 ET CHAT Facebook Chat (buddy list)
                    2010786 ET CHAT Facebook Chat (settings)
                    2010819 ET CHAT Facebook Chat using XMPP
                    2002327 ET CHAT Google Talk (Jabber) Client Login
                    2002334 ET CHAT Google IM traffic Jabber client sign-on
                    2001241 ET CHAT MSN file transfer request
                    2001242 ET CHAT MSN file transfer accept
                    2001243 ET CHAT MSN file transfer reject
                    2001682 ET CHAT MSN IM Poll via HTTP
                    2002192 ET CHAT MSN status change
                    2008289 ET CHAT Possible MSN Messenger File Transfer
                    2009375 ET CHAT General MSN Chat Activity
                    2009376 ET CHAT MSN User-Agent Activity
                    2001595 ET CHAT Skype VOIP Checking Version (Startup)
                    2002157 ET CHAT Skype User-Agent detected
                    2003022 ET CHAT Skype Bootstrap Node (udp)
                    2000355 ET CHAT IRC authorization message [stops IRC from working]
                    2002024 ET CHAT IRC NICK command [stops IRC from working]
                    2002028 ET CHAT IRC PONG response [stops IRC from working]
                    2002025 ET CHAT IRC JOIN command [stops IRC from working]
                    2002026 ET CHAT IRC PRIVMSG command [stops IRC from working]
                    >>DISABLED:22
                    
                    DO NOT USE! > emerging-ciarmy > use pfblocker with: http://www.ciarmy.com/list/ci-badguys.txt
                    
                    DO NOT USE! > emerging-compromised > use pfblocker with: http://rules.emergingthreats.net/blockrules/compromised-ips.txt
                    
                    emerging-current_events > all
                    >>>DISABLED:0
                    
                    emerging-deleted > ---
                    
                    emerging-dns > all except:
                    2008446 ET DNS Excessive DNS Responses with 1 or more RR's (100+ in 10 seconds) - possible Cache Poisoning Attempt
                    2008470 ET DNS Excessive NXDOMAIN responses - Possible DNS Backscatter or Domain Generation Algorithm Lookups
                    2001117 ET DNS Standard query response, Name Error
                    >>>DISABLED:3
                    
                    emerging-dos > all
                    >>>DISABLED:0
                    
                    DO NOT USE! > emerging-drop > use pfblocker with: http://list.iblocklist.com/?list=sh_drop&fileformat=p2p
                    
                    DO NOT USE! > emerging-dshield > use pfblocker with: http://rules.emergingthreats.net/blockrules/compromised-ips.txt
                    
                    emerging-exploit > all except:
                    2001058 ET EXPLOIT libpng tRNS overflow attempt
                    2002913 ET EXPLOIT VNC Client response
                    2002914 ET EXPLOIT VNC Server VNC Auth Offer
                    2002919 ET EXPLOIT VNC Good Authentication Reply
                    2002915 ET EXPLOIT VNC Authentication Reply
                    2002758 ET EXPLOIT WMF Escape Record Exploit - Version 1
                    2002742 ET EXPLOIT WMF Escape Record Exploit - Version 3
                    >>>DISABLED:7
                    
                    emerging-ftp > all
                    2010731 ET FTP FTP CWD command attempt without login
                    >>>DISABLED:1
                    
                    emerging-games > all
                    >>>DISABLED:0
                    
                    emerging-icmp > ---
                    
                    emerging-icmp_info > ---
                    
                    emerging-imap > ---
                    
                    emerging-inappropriate > all except:
                    2002925 ET INAPPROPRIATE Google Image Search, Safe Mode Off
                    2001608 ET INAPPROPRIATE Likely Porn
                    >>>DISABLED:2
                    
                    emerging-info > all except:
                    2014472 ET INFO JAVA - Java Archive Download
                    2014473 ET INFO JAVA - Java Archive Download By Vulnerable Client
                    2014819 ET INFO Packed Executable Download
                    2015016 ET INFO FTP STOR to External Network
                    2015561 ET INFO PDF Using CCITTFax Filter
                    2015744 ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
                    2016360 ET INFO JAVA - ClassID
                    2016361 ET INFO JAVA - ClassID
                    2016404 ET INFO MPEG Download Over HTTP (1)
                    2015674 ET INFO 3XX redirect to data URL
                    2016847 ET INFO Possible Chrome Plugin install
                    2017669 ET INFO Zip File
                    >>>DISABLED:12
                    
                    emerging-malware > all except:
                    2008438 ET MALWARE Possible Windows executable sent when remote host claims to send a Text File
                    2012228 ET MALWARE Suspicious Russian Content-Language Ru Which May Be Malware Related
                    2012229 ET MALWARE Suspicious Chinese Content-Language zh-cn Which May be Malware Related
                    >>>DISABLED:3
                    
                    emerging-misc > all
                    >>>DISABLED:0
                    
                    emerging-mobile_malware > all except:
                    2012251 ET MOBILE_MALWARE Google Android Device HTTP Request
                    2012848 ET MOBILE_MALWARE Possible Mobile Malware POST of IMEI International Mobile Equipment Identity in URI
                    >>>DISABLED:2
                    
                    emerging-netbios > all
                    >>>DISABLED:0
                    
                    emerging-p2p > all except:
                    2000369 ET P2P BitTorrent Announce
                    2007727 ET P2P possible torrent download
                    2008581 ET P2P BitTorrent DHT ping request
                    2008583 ET P2P BitTorrent DHT nodes reply
                    2008585 ET P2P BitTorrent DHT announce_peers request
                    2010144 ET P2P Vuze BT UDP Connection (5)
                    2011699 ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x)
                    2016662 ET P2P Possible Bittorrent Activity - Multiple DNS Queries For tracker hosts
                    2014734 ET P2P BitTorrent - Torrent File Downloaded
                    2003317 ET P2P Edonkey Search Request (any type file)
                    2009971 ET P2P eMule KAD Network Hello Request (2)
                    2013869 ET P2P Torrent Client User-Agent (Solid Core/0.82)
                    >>>DISABLED:12
                    
                    emerging-policy > all except:
                    2000419 ET POLICY PE EXE or DLL Windows file download
                    2000428 ET POLICY ZIP file download
                    2001115 ET POLICY MSI (microsoft installer file) download
                    2003595 ET POLICY exe download via HTTP - Informational
                    2001898 ET POLICY eBay Bid Placed
                    2001907 ET POLICY eBay Placing Item for sale
                    2001908 ET POLICY eBay View Item
                    2001909 ET POLICY eBay Watch This Item
                    2003303 ET POLICY FTP Login Attempt (non-anonymous)
                    2003410 ET POLICY FTP Login Successful
                    2003121 ET POLICY docs.google.com Activity
                    2003597 ET POLICY Google Calendar in Use
                    2002801 ET POLICY Google Desktop User-Agent Detected
                    2002838 ET POLICY Google Search Appliance browsing the Internet
                    2000035 ET POLICY Hotmail Inbox Access
                    2000036 ET POLICY Hotmail Message Access
                    2000037 ET POLICY Hotmail Compose Message Access
                    2000038 ET POLICY Hotmail Compose Message Submit
                    2000039 ET POLICY Hotmail Compose Message Submit Data
                    2008238 ET POLICY Hotmail Inbox Access
                    2008239 ET POLICY Hotmail Message Access
                    2008240 ET POLICY Hotmail Compose Message Access
                    2008242 ET POLICY Hotmail Access Full Mode
                    2006408 ET POLICY HTTP Request on Unusual Port Possibly Hostile
                    2006409 ET POLICY HTTP POST on unusual Port Possibly Hostile
                    2002330 ET POLICY Google Talk TLS Client Traffic
                    2002332 ET POLICY Google IM traffic Windows client user sign-on
                    2002333 ET POLICY Google IM traffic friend invited
                    2002878 ET POLICY iTunes User Agent
                    2002722 ET POLICY MP3 File Transfer Outbound
                    2002723 ET POLICY MP3 File Transfer Inbound
                    2001114 ET POLICY Mozilla XPI install files download
                    2001973 ET POLICY SSH Server Banner Detected on Expected Port
                    2001974 ET POLICY SSH Client Banner Detected on Expected Port
                    2001975 ET POLICY SSHv2 Server KEX Detected on Expected Port
                    2001976 ET POLICY SSHv2 Client KEX Detected on Expected Port
                    2001977 ET POLICY SSHv2 Client New Keys detected on Expected Port
                    2001978 ET POLICY SSH session in progress on Expected Port
                    2001979 ET POLICY SSH Server Banner Detected on Unusual Port
                    2001980 ET POLICY SSH Client Banner Detected on Unusual Port
                    2001981 ET POLICY SSHv2 Server KEX Detected on Unusual Port
                    2001982 ET POLICY SSHv2 Client KEX Detected on Unusual Port
                    2001983 ET POLICY SSHv2 Client New Keys Detected on Unusual Port
                    2001984 ET POLICY SSH session in progress on Unusual Port
                    2009001 ET POLICY Login Credentials Possibly Passed in URI
                    2009004 ET POLICY Login Credentials Possibly Passed in POST Data
                    2003214 ET POLICY Pingdom.com Monitoring detected
                    2003215 ET POLICY Pingdom.com Monitoring Node Active
                    2001669 ET POLICY Proxy GET Request
                    2001670 ET POLICY Proxy HEAD Request
                    2001674 ET POLICY Proxy POST Request
                    2001675 ET POLICY Proxy CONNECT Request
                    2002922 ET POLICY VNC Authentication Successful
                    2002920 ET POLICY VNC Authentication Failure
                    2003026 ET POLICY Known SSL traffic on port 443 being excluded from SSL Alerts
                    2004598 ET POLICY Known SSL traffic on port 9001 (aol) being excluded from SSL Alerts
                    2003027 ET POLICY Known SSL traffic on port 8000 being excluded from SSL Alerts
                    2003028 ET POLICY Known SSL traffic on port 8080 being excluded from SSL Alerts
                    2003029 ET POLICY Known SSL traffic on port 8200 being excluded from SSL Alerts
                    2003030 ET POLICY Known SSL traffic on port 8443 being excluded from SSL Alerts
                    2003033 ET POLICY Known SSL traffic on port 2967 (Symantec) being excluded from SSL Alerts
                    2003035 ET POLICY Known SSL traffic on port 3128 (proxy) being excluded from SSL Alerts
                    2003036 ET POLICY Known SSL traffic on port 8080 (proxy) being excluded from SSL Alerts
                    2003037 ET POLICY Known SSL traffic on port 8292 (Bloomberg) being excluded from SSL Alerts
                    2003038 ET POLICY Known SSL traffic on port 8294 (Bloomberg) being excluded from SSL Alerts
                    2003934 ET POLICY Known SSL traffic on port 1521 (Oracle) being excluded from SSL Alerts
                    2008543 ET POLICY Known SSL traffic on port 995 (imaps) being excluded from SSL Alerts
                    2003002 ET POLICY TLS/SSL Client Hello on Unusual Port TLS
                    2003003 ET POLICY TLS/SSL Client Hello on Unusual Port SSLv3
                    2003004 ET POLICY TLS/SSL Client Hello on Unusual Port Case 2
                    2003005 ET POLICY TLS/SSL Client Hello on Unusual Port SSLv3
                    2003006 ET POLICY TLS/SSL Client Key Exchange on Unusual Port
                    2003007 ET POLICY TLS/SSL Client Key Exchange on Unusual Port SSLv3
                    2003008 ET POLICY TLS/SSL Client Cipher Set on Unusual Port
                    2003009 ET POLICY TLS/SSL Client Cipher Set on Unusual Port SSLv3
                    2003010 ET POLICY TLS/SSL Server Hello on Unusual Port
                    2003011 ET POLICY TLS/SSL Server Hello on Unusual Port SSLv3
                    2003012 ET POLICY TLS/SSL Server Certificate Exchange on Unusual Port
                    2003013 ET POLICY TLS/SSL Server Certificate Exchange on Unusual Port SSLv3
                    2003014 ET POLICY TLS/SSL Server Key Exchange on Unusual Port
                    2003015 ET POLICY TLS/SSL Server Key Exchange on Unusual Port SSLv3
                    2003018 ET POLICY TLS/SSL Server Cipher Set on Unusual Port
                    2003019 ET POLICY TLS/SSL Server Cipher Set on Unusual Port SSLv3
                    2003020 ET POLICY TLS/SSL Encrypted Application Data on Unusual Port
                    2003021 ET POLICY TLS/SSL Encrypted Application Data on Unusual Port SSLv3
                    2007671 ET POLICY Binary Download Smaller than 1 MB Likely Hostile
                    2001449 ET POLICY Proxy Connection detected
                    2002822 ET POLICY Wget User Agent
                    2002823 ET POLICY POSSIBLE Web Crawl using Wget
                    2002824 ET POLICY CURL User Agent
                    2002934 ET POLICY libwww-perl User Agent
                    2002828 ET POLICY Googlebot User Agent
                    2002829 ET POLICY Googlebot Crawl
                    2002830 ET POLICY Msnbot User Agent
                    2002831 ET POLICY Msnbot Crawl
                    2002832 ET POLICY Yahoo Crawler User Agent
                    2002833 ET POLICY Yahoo Crawler Crawl
                    2010228 ET POLICY Suspicious Microsoft Windows NT 6.1 User-Agent Detected
                    2002948 ET POLICY External Windows Update in Progress
                    2002949 ET POLICY Windows Update in Progress
                    2001402 ET POLICY ZIPPED DOC in transit
                    2001403 ET POLICY ZIPPED XLS in transit
                    2001404 ET POLICY ZIPPED EXE in transit
                    2001405 ET POLICY ZIPPED PPT in transit
                    2011874 ET POLICY NSPlayer User-Agent Windows Media Player streaming detected
                    2012647 ET POLICY Dropbox.com Offsite File Backup in Use
                    2012648 ET POLICY Dropbox Client Broadcasting
                    2013028 ET POLICY curl User-Agent Outbound
                    2013030 ET POLICY libwww-perl User-Agent
                    2013031 ET POLICY Python-urllib/ Suspicious User Agent
                    2013290 ET POLICY MOBILE Apple device leaking UDID from SpringBoard via GET
                    2013414 ET POLICY Executable served from Amazon S3
                    2013458 ET POLICY Facebook Like Button Clicked (1)
                    2013459 ET POLICY Facebook Like Button Clicked (2)
                    2013503 ET POLICY OS X Software Update Request Outbound
                    2013504 ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management
                    2013505 ET POLICY GNU/Linux YUM User-Agent Outbound likely related to package management
                    2014297 ET POLICY Vulnerable Java Version 1.7.x Detected
                    2014313 ET POLICY Executable Download From DropBox
                    2014919 ET POLICY Microsoft Online Storage Client Hello TLSv1 Possible SkyDrive (1)
                    2014920 ET POLICY Microsoft Online Storage Client Hello TLSv1 Possible SkyDrive (2)
                    2017015 ET POLICY DropBox User Content Access over SSL
                    2001375 ET POLICY Credit Card Number Detected in Clear (16 digit spaced)
                    2001376 ET POLICY Credit Card Number Detected in Clear (16 digit dashed)
                    2001377 ET POLICY Credit Card Number Detected in Clear (16 digit)
                    2001378 ET POLICY Credit Card Number Detected in Clear (15 digit)
                    2001379 ET POLICY Credit Card Number Detected in Clear (15 digit spaced)
                    2001380 ET POLICY Credit Card Number Detected in Clear (15 digit dashed)
                    2001381 ET POLICY Credit Card Number Detected in Clear (14 digit)
                    2001382 ET POLICY Credit Card Number Detected in Clear (14 digit spaced)
                    2001383 ET POLICY Credit Card Number Detected in Clear (14 digit dashed)
                    2009293 ET POLICY Credit Card Number Detected in Clear (15 digit spaced 2)
                    2009294 ET POLICY Credit Card Number Detected in Clear (15 digit dashed 2)
                    2001328 ET POLICY SSN Detected in Clear Text (dashed)
                    2001384 ET POLICY SSN Detected in Clear Text (spaced)
                    2007971 ET POLICY SSN Detected in Clear Text (SSN )
                    2007972 ET POLICY SSN Detected in Clear Text (SSN# )
                    2011854 ET POLICY Java JAR file download
                    2002749 ET POLICY Unallocated IP Space Traffic - Bogon Nets   <<<<<<<< handled by ticking block bogon networks in interface settings
                    2002752 ET POLICY Reserved Internal IP Traffic    <<<<<<<<<<<<< handled by ticking block private networks in interface settings
                    2000418 ET POLICY Executable and linking format (ELF) file download
                    2002658 ET POLICY EIN in the clear (US-IRS Employer ID Number)
                    2016877 ET POLICY Unsupported/Fake FireFox Version 2.
                    2013296 ET POLICY Free SSL Certificate Provider (StartCom Class 1 Primary Intermediate Server CA)
                    2010815 ET POLICY Incoming Connection Attempt From Amazon EC2 Cloud
                    2013255 ET POLICY Majestic12 User-Agent Request Inbound
                    2014726 ET POLICY Outdated Windows Flash Version IE
                    2012911 ET POLICY URL Contains password Parameter
                    2011085 ET POLICY HTTP Redirect to IPv4 Address
                    2009303 ET POLICY MediaFire file download service access
                    2000356 ET POLICY IRC connection [stops IRC from working, misses a lot of real IRC connections]
                    >>>DISABLED:151
                    
                    emerging-pop3 > ---
                    
                    DO NOT USE! > emerging-rbn-malvertisers > use pfblocker with: !!!LIST REMOVED!!! LOOKING FOR SUGGESTIONS
                    
                    DO NOT USE! > emerging-rbn > use pfblocker with: !!!LIST REMOVED!!! LOOKING FOR SUGGESTIONS
                    
                    emerging-rpc > ---
                    
                    emerging-scada > all
                    >>>DISABLED:0
                    
                    emerging-scan > all except
                    2002992 ET SCAN Rapid POP3 Connections - Possible Brute Force Attack
                    2002993 ET SCAN Rapid POP3S Connections - Possible Brute Force Attack
                    2002994 ET SCAN Rapid IMAP Connections - Possible Brute Force Attack
                    2002995 ET SCAN Rapid IMAPS Connections - Possible Brute Force Attack
                    2011367 ET SCAN TCP Traffic (ET SCAN Malformed Packet SYN FIN)
                    >>>DISABLED:5
                    
                    emerging-shellcode > all except
                    2011803 ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected
                    2012252 ET SHELLCODE Common 0a0a0a0a Heap Spray String
                    2012257 ET SHELLCODE Common %0c%0c%0c%0c Heap Spray String
                    2012510 ET SHELLCODE UTF-8/16 Encoded Shellcode
                    2013222 ET SHELLCODE Excessive Use of HeapLib Objects Likely Malicious Heap Spray Attempt
                    2013267 ET SHELLCODE Hex Obfuscated JavaScript Heap Spray 0a0a0a0a
                    2012256 ET SHELLCODE Common 0c0c0c0c Heap Spray String
                    >>>DISABLED:7
                    
                    emerging-smtp > all
                    >>>DISABLED:0
                    
                    emerging-snmp > all
                    >>>DISABLED:0
                    
                    emerging-sql > all
                    >>>DISABLED:0
                    
                    emerging-telnet > all
                    >>>DISABLED:0
                    
                    emerging-tftp > all
                    >>>DISABLED:0
                    
                    DO NOT USE! > emerging-tor > use pfblocker with http://list.iblocklist.com/?list=tor&fileformat=p2p
                    
                    emerging-trojan > all except:
                    2009205 ET TROJAN Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 1)
                    2009206 ET TROJAN Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 4)
                    2009207 ET TROJAN Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 5)
                    2009208 ET TROJAN Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 16)
                    2001046 ET TROJAN UPX compressed file download possible malware
                    >>>DISABLED:5
                    
                    emerging-user_agents > all except:
                    2010697 ET USER_AGENTS Suspicious User-Agent Beginning with digits - Likely spyware/trojan
                    >>>DISABLED:1
                    
                    emerging-voip > all
                    >>>DISABLED:0
                    
                    emerging-web_client > all except
                    2011347 ET WEB_CLIENT Possible String.FromCharCode Javascript Obfuscation Attempt
                    2011507 ET WEB_CLIENT PDF With Embedded File
                    2010518 ET WEB_CLIENT Possible HTTP 404 XSS Attempt (External Source)
                    2012056 ET WEB_CLIENT Flash Player Flash6.ocx AllowScriptAccess Denial of Service
                    2012075 ET WEB_CLIENT Possible Internet Explorer CSS Parser Remote Code Execution Attempt
                    2012119 ET WEB_CLIENT Possible Hex Obfuscation Usage On Webpage
                    2012205 ET WEB_CLIENT Possible Malicious String.fromCharCode with charCodeAt String
                    2012266 ET WEB_CLIENT Hex Obfuscation of unescape % Encoding
                    2012272 ET WEB_CLIENT Hex Obfuscation of eval % Encoding
                    2012398 ET WEB_CLIENT Hex Obfuscation of replace Javascript Function % Encoding
                    2010527 ET WEB_CLIENT Possible HTTP 503 XSS Attempt (External Source)
                    2010931 ET WEB_CLIENT Possible IE iepeers.dll Use-after-free Code Execution Attempt
                    2011764 ET WEB_CLIENT Possible Microsoft Internet Explorer mshtml.dll Timer ID Memory Pointer Information Disclosure Attempt
                    >>>DISABLED:13
                    
                    emerging-web_server > all except
                    2003099 ET WEB_SERVER Poison Null Byte
                    2015526 ET WEB_SERVER Fake Googlebot UA 1 Inbound
                    2015527 ET WEB_SERVER Fake Googlebot UA 2 Inbound
                    2016676 ET WEB_SERVER SQL Errors in HTTP 200 Response (ORA-)
                    2016672 ET WEB_SERVER SQL Errors in HTTP 200 Response (error in your SQL syntax)
                    2009151 ET WEB_SERVER PHP Generic Remote File Include Attempt (HTTP)
                    >>>DISABLED:5
                    
                    emerging-web_specific_apps > all except:
                    2010890 ET WEB_SPECIFIC_APPS phpBB3 registration (Step1 GET)
                    2010891 ET WEB_SPECIFIC_APPS phpBB3 registration (Step2 POST)
                    2010892 ET WEB_SPECIFIC_APPS phpBB3 registration (Step3 GET)
                    2010893 ET WEB_SPECIFIC_APPS phpBB3 registration (Step4 POST)
                    2003508 ET WEB_SPECIFIC_APPS Wordpress wp-login.php redirect_to credentials stealing attempt
                    >>>DISABLED:5
                    
                    emerging-worm > all
                    >>>DISABLED:0
                    
                    GPLv2 community rules > all except
                    254 DNS SPOOF query response with TTL of 1 min. and no authority
                    384 PROTOCOL-ICMP PING
                    385 PROTOCOL-ICMP traceroute
                    399 PROTOCOL-ICMP Destination Unreachable Host Unreachable
                    402 PROTOCOL-ICMP Destination Unreachable Port Unreachable
                    408 PROTOCOL-ICMP Echo Reply
                    540 POLICY-SOCIAL Microsoft MSN message
                    648 INDICATOR-SHELLCODE x86 NOOP
                    649 INDICATOR-SHELLCODE x86 setgid 0
                    1200 INDICATOR-COMPROMISE Invalid URL
                    1201 INDICATOR-COMPROMISE 403 Forbidden
                    1292 INDICATOR-COMPROMISE directory listing
                    1390 INDICATOR-SHELLCODE x86 inc ebx NOOP
                    1394 INDICATOR-SHELLCODE x86 inc ecx NOOP
                    1437 FILE-IDENTIFY Microsoft Windows Media download detected
                    1841 FILE-OTHER Oracle Javascript URL host spoofing attempt
                    1846 POLICY-MULTIMEDIA vncviewer Java applet download attempt
                    1852 SERVER-WEBAPP robots.txt access
                    1986 POLICY-SOCIAL Microsoft MSN outbound file transfer request
                    1988 POLICY-SOCIAL Microsoft MSN outbound file transfer accept
                    1989 POLICY-SOCIAL Microsoft MSN outbound file transfer rejected
                    1990 POLICY-SOCIAL Microsoft MSN user search
                    1991 POLICY-SOCIAL Microsoft MSN login attempt
                    2180 PUA-P2P BitTorrent announce request
                    2181 PUA-P2P BitTorrent transfer
                    2707 FILE-IMAGE JPEG parser multipacket heap overflow
                    3463 SERVER-WEBAPP awstats access
                    25518 OS-OTHER Apple iPod User-Agent detected
                    25519 OS-OTHER Apple iPad User-Agent detected
                    25520 OS-OTHER Apple iPhone User-Agent detected
                    25521 OS-OTHER Android User-Agent detected
                    25522 OS-OTHER Nokia User-Agent detected
                    25523 OS-OTHER Samsung User-Agent detected
                    25524 OS-OTHER Kindle User-Agent detected
                    25525 OS-OTHER Nintendo User-Agent detected
                    2417 PROTOCOL-FTP format string attempt
                    1377 PROTOCOL-FTP wu-ftp bad file completion attempt
                    1378 PROTOCOL-FTP wu-ftp bad file completion attempt
                    
                    >>>DISABLED:38
                    
                    IPS Policy - Security > all except
                    19436 BROWSER-IE Microsoft Internet Explorer CStyleSheetRule array memory corruption attempt
                    18196 BROWSER-IE Microsoft Internet Explorer CSS importer use-after-free attempt
                    16482 BROWSER-IE Microsoft Internet Explorer userdata behavior memory corruption attempt
                    25459 FILE-PDF Adobe Reader incomplete JP2K image geometry - potentially malicious
                    16320 WEB-CLIENT Adobe PNG empty sPLT exploit attempt
                    15975 WEB-CLIENT OpenOffice TIFF file in little endian format parsing integer overflow attempt
                    15976 WEB-CLIENT OpenOffice TIFF file in big endian format parsing integer overflow attempt
                    13360 APP-DETECT failed FTP login attempt
                    23098 FILE-MULTIMEDIA Adobe Flash Player MP4 sequence parameter set parsing overflow attempt
                    14772 WEB-CLIENT libpng malformed chunk denial of service attempt
                    29466 FILE-OTHER Corel PDF fusion XPS stack buffer overflow attempt
                    27948 FILE-OFFICE Microsoft Office Excel rtMergeCells heap overflow attempt
                    17153 BROWSER-FIREFOX Mozilla Firefox plugin parameter array dangling pointer exploit attempt - 1 <<< Affects systems running the Firefox ActiveX control (firefox 3.6.7). No longer needed, delete upstream.
                    17154 BROWSER-FIREFOX Mozilla Firefox plugin parameter array dangling pointer exploit attempt - 2 <<< Affects systems running the Firefox ActiveX control (firefox 3.6.7). No longer needed, delete upstream.
                    19713 BROWSER-FIREFOX Mozilla Array.reduceRight integer overflow <<< Affects Firefox v1.0-4.0.1\. No longer needed, delete upstream.
                    19714 BROWSER-FIREFOX Mozilla Array.reduceRight integer overflow <<< Affects Firefox v1.0-4.0.1\. No longer needed, delete upstream.
                    19321 BROWSER-FIREFOX Mozilla Products nsCSSValue Array Index Integer Overflow  <<< Affects Firefox v3.5.1-3.6.6.  No longer needed, delete upstream.
                    19292 BROWSER-FIREFOX Mozilla Firefox appendChild use-after-free attempt <<< Affects Firefox v3.5-3.6.9.  No longer needed, delete upstream.
                    19078 BROWSER-FIREFOX Mozilla Firefox html tag attributes memory corruption <<< Affects Firefox v3.5-3.6.9.  No longer needed, delete upstream.
                    19077 BROWSER-FIREFOX Mozilla Firefox appendChild use-after-free attempt <<< Affects Firefox v3.5-3.6.9.  No longer needed, delete upstream.
                    19076 BROWSER-FIREFOX Mozilla Firefox appendChild use-after-free attempt <<< Affects Firefox v3.5-3.6.9.  No longer needed, delete upstream.
                    17804 BROWSER-FIREFOX Mozilla Firefox html tag attributes memory corruption <<< Affects Firefox v3.5-3.6.9.  No longer needed, delete upstream.
                    25233 BROWSER-FIREFOX appendChild multiple parent nodes stack corruption attempt <<< Affects Firefox v1.0-3.6.9.  No longer needed, delete upstream.
                    25232 BROWSER-FIREFOX appendChild multiple parent nodes stack corruption attempt <<< Affects Firefox v1.0-3.6.9.  No longer needed, delete upstream.
                    25228 BROWSER-FIREFOX Mozilla Firefox iframe and xul element reload crash attempt <<< Affects Firefox v1.0-3.6.9.  No longer needed, delete upstream.
                    25227 BROWSER-FIREFOX Mozilla Firefox iframe and xul element reload crash attempt <<< Affects Firefox v1.0-3.6.9.  No longer needed, delete upstream.
                    24994 BROWSER-FIREFOX Mozilla Firefox onChannelRedirect method attempt <<< Affects Firefox v1.0-3.6.9.  No longer needed, delete upstream.
                    24188 BROWSER-FIREFOX Mozilla Array.reduceRight integer overflow <<< Affects Firefox v1.0-4.0.1.  No longer needed, delete upstream.
                    24187 BROWSER-FIREFOX Mozilla Array.reduceRight integer overflow <<< Affects Firefox v1.0-4.0.1.  No longer needed, delete upstream.
                    21363 BROWSER-FIREFOX Mozilla Firefox appendChild use-after-free attempt <<< Affects Firefox v3.5-3.6.9.  No longer needed, delete upstream.
                    20072 BROWSER-FIREFOX Mozilla Firefox nsTreeRange Use After Free attempt <<< Affects Firefox v1.0-3.6.9.  No longer needed, delete upstream.
                    16502 BROWSER-FIREFOX Mozilla Firefox WOFF font processing integer overflow attempt - CFF-based <<< Affects Firefox v3.6.  No longer needed, delete upstream.
                    16501 BROWSER-FIREFOX Mozilla Firefox WOFF font processing integer overflow attempt - TrueType <<< Affects Firefox v3.6.  No longer needed, delete upstream.
                    29503 BROWSER-FIREFOX Mozilla Products SVG text content element getCharNumAtPosition use after free attempt <<< Affects Firefox v1.0-5.0.  No longer needed, delete upstream.
                    >>DISABLED:34
                    
                    preprocessor.rules > all except (first_column:second_column details)
                    119:2 HI_CLIENT_DOUBLE_DECODE
                    119:4 HI_CLIENT_BARE_BYTE
                    119:7 HI_CLIENT_IIS_UNICODE
                    119:14 HI_CLIENT_NON_RFC_CHAR
                    119:31 HI_CLIENT_UNKNOWN_METHOD
                    119:32 HI_CLIENT_SIMPLE_REQUEST
                    120:2 HI_SERVER_INVALID_STATCODE
                    120:3 HI_SERVER_NO_CONTLEN
                    120:4 HI_SERVER_UTF_NORM_FAIL
                    120:6 HI_SERVER_DECOMPR_FAILED
                    120:8 HI_CLISRV_MSG_SIZE_EXCEPTION
                    120:9 HI_SERVER_JS_OBFUSCATION_EXCD
                    120:10 HI_SERVER_JS_EXCESS_WS
                    122:1 PSNG_TCP_PORTSCAN
                    122:4 PSNG_TCP_DISTRIBUTED_PORTSCAN
                    122:17 PSNG_UDP_PORTSCAN
                    122:20 PSNG_UDP_DISTRIBUTED_PORTSCAN
                    124:3 SMTP_RESPONSE_OVERFLOW
                    124:10 SMTP_B64_DECODING_FAILED
                    125:1 FTPP_FTP_TELNET_CMD
                    125:2 FTPP_FTP_INVALID_CMD
                    125:7 FTPP_FTP_ENCRYPTED
                    125:9 FTPP_FTP_EVASIVE_TELNET_CMD
                    137:1 SSL_INVALID_CLIENT_HELLO
                    141:1 IMAP_UNKNOWN_CMD <<< pending upstream update
                    141:2 IMAP_UNKNOWN_RESP <<< pending upstream update
                    145:2 DNP3_DROPPED_FRAME
                    DISABLED>>>27
                    
                    DO NOT USE! > sensitive-data.rules > NONE enabled
                    
                    Suppression list:
                    
                    #GLOBAL
                    # gen_id 1
                    suppress gen_id 1, sig_id 536
                    suppress gen_id 1, sig_id 653
                    suppress gen_id 1, sig_id 2452
                    suppress gen_id 1, sig_id 11192
                    suppress gen_id 1, sig_id 15306
                    suppress gen_id 1, sig_id 16313
                    suppress gen_id 1, sig_id 17458
                    suppress gen_id 1, sig_id 20583
                    suppress gen_id 1, sig_id 2000334
                    suppress gen_id 1, sig_id 2008120
                    suppress gen_id 1, sig_id 2010516
                    suppress gen_id 1, sig_id 20122758
                    suppress gen_id 1, sig_id 2014518
                    suppress gen_id 1, sig_id 2014520
                    suppress gen_id 1, sig_id 2100366
                    suppress gen_id 1, sig_id 2100368
                    suppress gen_id 1, sig_id 2100651
                    suppress gen_id 1, sig_id 2101390
                    suppress gen_id 1, sig_id 2101424
                    suppress gen_id 1, sig_id 2102314
                    suppress gen_id 1, sig_id 2103134
                    suppress gen_id 1, sig_id 2500056
                    suppress gen_id 1, sig_id 100000230
                    suppress gen_id 3, sig_id 14772
                    #(IMAP) Unknown IMAP4 command
                    suppress gen_id 141, sig_id 1
                    
                    pfBlocker extra lists:
                    TYPE LIST
                    txt http://www.spamhaus.org/drop/drop.txt
                    txt http://www.spamhaus.org/drop/edrop.txt
                    
                    
                    1 Reply Last reply Reply Quote 0
                    • R
                      Ramosel
                      last edited by

                      Since you have changed the format of how you are posting the updates in this post, is this a repost of the March 15th update or something new?

                      Rick

                      1 Reply Last reply Reply Quote 0
                      • ?
                        A Former User
                        last edited by

                        @Ramosel:

                        Since you have changed the format of how you are posting the updates in this post, is this a repost of the March 15th update or something new?

                        Rick

                        See quote and rule sample:
                        @jflsakfja:

                        This update brings a couple dozen no longer needed rules, and I have now started adding an explanation of why I deleted a certain rule next to it, after <<<

                        
                        17153 BROWSER-FIREFOX Mozilla Firefox plugin parameter array dangling pointer exploit attempt - 1 <<< Affects systems running the Firefox ActiveX control (firefox 3.6.7). No longer needed, delete upstream.
                        17154 BROWSER-FIREFOX Mozilla Firefox plugin parameter array dangling pointer exploit attempt - 2 <<< Affects systems running the Firefox ActiveX control (firefox 3.6.7). No longer needed, delete upstream.
                        19713 BROWSER-FIREFOX Mozilla Array.reduceRight integer overflow <<< Affects Firefox v1.0-4.0.1\. No longer needed, delete upstream.
                        19714 BROWSER-FIREFOX Mozilla Array.reduceRight integer overflow <<< Affects Firefox v1.0-4.0.1\. No longer needed, delete upstream.
                        19321 BROWSER-FIREFOX Mozilla Products nsCSSValue Array Index Integer Overflow  <<< Affects Firefox v3.5.1-3.6.6.  No longer needed, delete upstream.
                        19292 BROWSER-FIREFOX Mozilla Firefox appendChild use-after-free attempt <<< Affects Firefox v3.5-3.6.9.  No longer needed, delete upstream.
                        19078 BROWSER-FIREFOX Mozilla Firefox html tag attributes memory corruption <<< Affects Firefox v3.5-3.6.9.  No longer needed, delete upstream.
                        19077 BROWSER-FIREFOX Mozilla Firefox appendChild use-after-free attempt <<< Affects Firefox v3.5-3.6.9.  No longer needed, delete upstream.
                        19076 BROWSER-FIREFOX Mozilla Firefox appendChild use-after-free attempt <<< Affects Firefox v3.5-3.6.9.  No longer needed, delete upstream.
                        17804 BROWSER-FIREFOX Mozilla Firefox html tag attributes memory corruption <<< Affects Firefox v3.5-3.6.9.  No longer needed, delete upstream.
                        25233 BROWSER-FIREFOX appendChild multiple parent nodes stack corruption attempt <<< Affects Firefox v1.0-3.6.9.  No longer needed, delete upstream.
                        25232 BROWSER-FIREFOX appendChild multiple parent nodes stack corruption attempt <<< Affects Firefox v1.0-3.6.9.  No longer needed, delete upstream.
                        25228 BROWSER-FIREFOX Mozilla Firefox iframe and xul element reload crash attempt <<< Affects Firefox v1.0-3.6.9.  No longer needed, delete upstream.
                        25227 BROWSER-FIREFOX Mozilla Firefox iframe and xul element reload crash attempt <<< Affects Firefox v1.0-3.6.9.  No longer needed, delete upstream.
                        24994 BROWSER-FIREFOX Mozilla Firefox onChannelRedirect method attempt <<< Affects Firefox v1.0-3.6.9.  No longer needed, delete upstream.
                        24188 BROWSER-FIREFOX Mozilla Array.reduceRight integer overflow <<< Affects Firefox v1.0-4.0.1.  No longer needed, delete upstream.
                        24187 BROWSER-FIREFOX Mozilla Array.reduceRight integer overflow <<< Affects Firefox v1.0-4.0.1.  No longer needed, delete upstream.
                        21363 BROWSER-FIREFOX Mozilla Firefox appendChild use-after-free attempt <<< Affects Firefox v3.5-3.6.9.  No longer needed, delete upstream.
                        20072 BROWSER-FIREFOX Mozilla Firefox nsTreeRange Use After Free attempt <<< Affects Firefox v1.0-3.6.9.  No longer needed, delete upstream.
                        16502 BROWSER-FIREFOX Mozilla Firefox WOFF font processing integer overflow attempt - CFF-based <<< Affects Firefox v3.6.  No longer needed, delete upstream.
                        16501 BROWSER-FIREFOX Mozilla Firefox WOFF font processing integer overflow attempt - TrueType <<< Affects Firefox v3.6.  No longer needed, delete upstream.
                        29503 BROWSER-FIREFOX Mozilla Products SVG text content element getCharNumAtPosition use after free attempt <<< Affects Firefox v1.0-5.0.  No longer needed, delete upstream.
                        
                        
                        1 Reply Last reply Reply Quote 0
                        • G
                          G.D. Wusser Esq.
                          last edited by

                          I have a quick question about mechanics of what exactly this rule is detecting.

                          @jflsakfja:

                          2017015 ET POLICY DropBox User Content Access over SSL

                          The source IP is an AWS address. The source port is 443. The destination IP is a local computer that does not (or should not) have drop box installed. The destination port is in 15-thousands (15067, 15068).

                          What is triggering this rule? Would simply clicking on a link, to download a file in web browser, or accessing a page with hot-linked https dropbox content, allow the AWS hosted computer to send traffic back on a port already opened by the browser? Or is this an indication of a secret drop box client installed by a hacker, and then used to send payload to the compromised computer?

                          Could it be one, or another, or both?

                          Thank you.

                          1 Reply Last reply Reply Quote 0
                          • BBcan177B
                            BBcan177 Moderator
                            last edited by

                            @G.D.:

                            2017015 ET POLICY DropBox User Content Access over SSL

                            The source IP is an AWS address. The source port is 443. The destination IP is a local computer that does not (or should not) have drop box installed. The destination port is in 15-thousands (15067, 15068).

                            What is triggering this rule? Would simply clicking on a link, to download a file in web browser, or accessing a page with hot-linked https dropbox content, allow the AWS hosted computer to send traffic back on a port already opened by the browser? Or is this an indication of a secret drop box client installed by a hacker, and then used to send payload to the compromised computer?

                            Could it be one, or another, or both?

                            This is the rule

                            alert tcp $EXTERNAL_NET 443 -> $HOME_NET any (msg:"ET POLICY DropBox User Content Access over SSL"; flow:established,from_server; content:"|55 04 03|"; content:"|18|*.dropboxusercontent.com"; nocase; distance:1; within:25; reference:url,www.dropbox.com/help/201/en; classtype:policy-violation; sid:2017015; rev:6;)

                            This is the reference URL in the rule  https://www.dropbox.com/help/201/en  which doesn't say too much.

                            There is a lot of Crap on AWS. I found the following reference -

                            "Data uploaded by the Dropbox client software is also encrypted before it is uploaded to Dropbox servers. Dropbox stores files on Amazon's S3 service. The company encrypts files with 256-bit AES before transmitting them to Amazon's servers via an SSL connection. However, Dropbox employees can decrypt these files, as can the Dropbox system."

                            Maybe posting on the Snort forum would get the right information for this type of question.

                            https://groups.google.com/forum/#!forum/mailing.unix.snort

                            "Experience is something you don't get until just after you need it."

                            Website: http://pfBlockerNG.com
                            Twitter: @BBcan177  #pfBlockerNG
                            Reddit: https://www.reddit.com/r/pfBlockerNG/new/

                            1 Reply Last reply Reply Quote 0
                            • bmeeksB
                              bmeeks
                              last edited by

                              @G.D.:

                              I have a quick question about mechanics of what exactly this rule is detecting.

                              @jflsakfja:

                              2017015 ET POLICY DropBox User Content Access over SSL

                              The source IP is an AWS address. The source port is 443. The destination IP is a local computer that does not (or should not) have drop box installed. The destination port is in 15-thousands (15067, 15068).

                              What is triggering this rule? Would simply clicking on a link, to download a file in web browser, or accessing a page with hot-linked https dropbox content, allow the AWS hosted computer to send traffic back on a port already opened by the browser? Or is this an indication of a secret drop box client installed by a hacker, and then used to send payload to the compromised computer?

                              Could it be one, or another, or both?

                              Thank you.

                              In addition to what user BBcan177 stated and provided above with regards to this alert, my guess is a client computer on your network clicked on a web link that downloads Dropbox content.  You do not have to have the Dropbox client installed to download and view someone else's content.  I don't have Dropbox on my LAN, but my family has sent me links to photos hosted on their Dropbox accounts.  So my bet is one of your LAN users clicked a link in an e-mail or even a web page that then connects via https:// to Dropbox to grab the content.  The Snort rule is simply alerting on that action.

                              Bill

                              1 Reply Last reply Reply Quote 0
                              • G
                                G.D. Wusser Esq.
                                last edited by

                                Thank you for the explanation. I appreciate it. It seems somewhat counter-intuitive to me that Snort would ignore the outgoing request for the prohibited resource, and only catch it on the way back, when the remote server starts transmitting to the local port.

                                I have much to learn about Snort.

                                1 Reply Last reply Reply Quote 0
                                • ?
                                  A Former User
                                  last edited by

                                  Warning: This post may contain rage directed at the snort/suricata rule writers. It does NOT contain rage directed at any of the poor souls trying to make a usable product of the mess that is The Rules.

                                  And rule writers have an order of magnitude more than you to learn about writing rules and/or using snort. (translation-and-a-fact-actually:MOST rule writers have no idea what a rule is and what a rule does)

                                  Snippet from the upcoming blueprint for suricata:
                                  2010228 ET POLICY Suspicious Microsoft Windows NT 6.1 User-Agent Detected <<< so WTF is windows 7 then???

                                  Since nobody on the entire internet reads this topic, that brutal FP rule will never be corrected. Trillions upon quadrillions of man hours will be wasted to disable that rule, after thousands upon thousands of debates on whether Windows 7 is version 7 or version 6 (hint:it's 6.1 and the rule fires up after a clean install's first time updates).

                                  The Golden Standards for Rule Writing

                                  1. Rules should detect what they are designed to detect (most rules actually do this)
                                  2. A rule to detect a successful ftp login is not only idiotic, it's an insult of my intelligence. Applies to apt-get rule as well.
                                  3. A rule set up on an abacus then carried over to snort should REALLY be dropped. No arguments, no what-ifs, no think-of-the-children, no terrorism (includes cyberterrorism). Just build up the courage and delete old rules already. Nobody needs them.

                                  Most rules meet only point 1. There are exceptions of course.
                                  I'll be updating this topic for the last time in the coming days. After that, the suricata blueprint will take over.

                                  Note to those that say "ZOMG!!!oneeleven WHAT ABOUT DETECTING WINDOWS 7 WHEN YOU ARE ON AN ALL LINUX NETWORK????".

                                  1. THERE IS NOTHING SUSPICIOUS ABOUT A VALID WINDOWS RELEASE! (other than the three-letter-agencies backdoors of course)
                                  2. If you don't know what os each host runs, please consider a career change.
                                  3. If a host whose OS you don't know managed to get on "The Internet", then you have bigger problems. Please see 2.
                                  1 Reply Last reply Reply Quote 0
                                  • R
                                    Ramosel
                                    last edited by

                                    @jflsakfja:

                                    I'll be updating this topic for the last time in the coming days. After that, the suricata blueprint will take over.

                                    First off, thank you for your efforts in this thread, I have found it most useful and the more I understand about it, most clever in its use and implementation of pfSense/pfBlocker/Snort as a system

                                    I don't know that this is a question or just a curiosity…  what I have read, questioned and talked to friends about in the Snort/Suricata debate, points to the big advantage of Suricata is its true "inline" functionality.  At this time, it is my understanding that this true "inline" functionality can not be invoked under pfSense due to changes needed in pfSense itself.  Given those two pieces of the puzzle, what would be the impetus for moving to Suricata "at this time"?

                                    To further obfuscate the curiosity, the Snort fanboys insist that by the time pfSense gets "fixed" for the inline functionality that Snort will be updated to also offer this ability.  My question then was whether an inline Snort would also require its own pfSense core change?… to which I got blank stares and silence.

                                    Rick

                                    1 Reply Last reply Reply Quote 0
                                    • bmeeksB
                                      bmeeks
                                      last edited by

                                      @G.D.:

                                      Thank you for the explanation. I appreciate it. It seems somewhat counter-intuitive to me that Snort would ignore the outgoing request for the prohibited resource, and only catch it on the way back, when the remote server starts transmitting to the local port.

                                      I have much to learn about Snort.

                                      The outgoing request from your LAN client may well not contain all the "triggers" needed by the rule.  Only the data coming back contained everything necessary (and in the right order) to trigger the rule.

                                      Bill

                                      1 Reply Last reply Reply Quote 0
                                      • bmeeksB
                                        bmeeks
                                        last edited by

                                        @Ramosel:

                                        @jflsakfja:

                                        I'll be updating this topic for the last time in the coming days. After that, the suricata blueprint will take over.

                                        First off, thank you for your efforts in this thread, I have found it most useful and the more I understand about it, most clever in its use and implementation of pfSense/pfBlocker/Snort as a system

                                        I don't know that this is a question or just a curiosity…  what I have read, questioned and talked to friends about in the Snort/Suricata debate, points to the big advantage of Suricata is its true "inline" functionality.  At this time, it is my understanding that this true "inline" functionality can not be invoked under pfSense due to changes needed in pfSense itself.  Given those two pieces of the puzzle, what would be the impetus for moving to Suricata "at this time"?

                                        To further obfuscate the curiosity, the Snort fanboys insist that by the time pfSense gets "fixed" for the inline functionality that Snort will be updated to also offer this ability.  My question then was whether an inline Snort would also require its own pfSense core change?… to which I got blank stares and silence.

                                        Rick

                                        There are (well, actually, "will be") two ways to implement in-line mode in Snort and Suricata.  One utilizes ipfw.  This is the part of pfSense that today does not fully function in IPS mode.  It's also the mode, that even if fixed to work, will still offer very poor performance throughput due to the swaps back and forth between kernel space and user land for packets.  The other mechanism that really offers promise is Netmap.  This is now part of FreeBSD 10, and I assume (but have not verified) it is in pfSense 2.2.  There is a feature request that is currently showing as 50% complete in the Suricata source tree to add a Netmap API module so that Suricata can use it.  I'm not sure why the feature is not 100% finished yet.

                                        Back to Snort.  Snort's DAQ module that does all the packet acquisition can utilize ipfw on BSD systems to do in-line drops.  I have not seen anything about Netmap support in Snort yet, though.  Somebody may be contemplating it, but I did not see any links in my initial searches.

                                        So to summarize – the ideal way forward is to use the Netmap support in FreeBSD 10 as the architecture for implementing inline IPS in Suricata (and maybe even Snort).  However, we are now in a waiting game while those two upstream source trees fully incorporate Netmap support.  In my view, ipfw is probably a lost cause due first to the potential performance issues, and second to the fact it would have to be updated in the pfSense code in order to work correctly.

                                        As to liking Suricata over Snort (or vice-versa), that is really mostly personal preference at this time.  Maybe if Suricata gets full Netmap support and Snort does not, then the choice becomes more clear cut.

                                        Bill

                                        1 Reply Last reply Reply Quote 0
                                        • ?
                                          A Former User
                                          last edited by

                                          @Ramosel:

                                          @jflsakfja:

                                          I'll be updating this topic for the last time in the coming days. After that, the suricata blueprint will take over.

                                          First off, thank you for your efforts in this thread, I have found it most useful and the more I understand about it, most clever in its use and implementation of pfSense/pfBlocker/Snort as a system

                                          I don't know that this is a question or just a curiosity…  what I have read, questioned and talked to friends about in the Snort/Suricata debate, points to the big advantage of Suricata is its true "inline" functionality.  At this time, it is my understanding that this true "inline" functionality can not be invoked under pfSense due to changes needed in pfSense itself.  Given those two pieces of the puzzle, what would be the impetus for moving to Suricata "at this time"?

                                          To further obfuscate the curiosity, the Snort fanboys insist that by the time pfSense gets "fixed" for the inline functionality that Snort will be updated to also offer this ability. My question then was whether an inline Snort would also require its own pfSense core change?… to which I got blank stares and silence.

                                          Rick

                                          Snort inline is dead. Any hope of resurrecting the project (coming from die hard snort fans, companies funneling trillions of $ into snort inline, fanbois, not related passers by) is nothing more than a hope. As an added nail in snort inline's coffin is that pretty much all development for it has stopped when suricata was born, since most (all?) developers (wrt inline) moved over to that project.

                                          Just to put it in plain sight: snort inline is DEAD. Any future posts mentioning snort inline should be accompanied by "R.I.P. snort inline". If you want that functionality, migrate to suricata. As for all the (inevitably) coming [citation needed] posts, I'm not the one saying snort inline is dead, migrate to suricata. It's actually snort inline's site. Here I'll make everybody's life easier: http://snort-inline.sourceforge.net/

                                          Right now the best course forward is to work as much as we can to get suricata fully functional under pfsense. Even if the inline part doesn't get implemented for another 40 years, the foundations will be there when it does. I know this will upset everybody related to snort, but now that cisco has taken over snort, I'm waiting for the announcement that snort will no longer be supported any day now. Maybe tomorrow. Maybe the day after that. Maybe next week. It WILL be here eventually.

                                          1 Reply Last reply Reply Quote 0
                                          • ?
                                            A Former User
                                            last edited by

                                            This is the final rule post in this topic. Moving forward, the rules will be found in the suricata topic, which I'll create in a couple of days. I strongly advise all to move to suricata and stop using snort.

                                            With that out of the way, here's the rule updates:

                                            In tab "Rules", under "Category" select:
                                            (–- means blank table at time of writing)

                                            Auto-Flowbit rules > all except:
                                            8478 FILE-IDENTIFY Microsoft Office Publisher file magic detected
                                            23714 FILE-IDENTIFY Microsoft Office Publisher file magic detected

                                            DISABLED:2

                                            emerging-activex > all

                                            DISABLED:0

                                            emerging-attack_responses > all

                                            DISABLED:0

                                            DO NOT USE! > emerging-botcc > use pfblocker with: http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt <<< CARE!!! a lot of IRC servers are listed here. Try it first, an IRC network that you need to work, doesn't, then remove it.

                                            emerging-chat > all except:
                                            2010784 ET CHAT Facebook Chat (send message)
                                            2010785 ET CHAT Facebook Chat (buddy list)
                                            2010786 ET CHAT Facebook Chat (settings)
                                            2010819 ET CHAT Facebook Chat using XMPP
                                            2002327 ET CHAT Google Talk (Jabber) Client Login
                                            2002334 ET CHAT Google IM traffic Jabber client sign-on
                                            2001241 ET CHAT MSN file transfer request
                                            2001242 ET CHAT MSN file transfer accept
                                            2001243 ET CHAT MSN file transfer reject
                                            2001682 ET CHAT MSN IM Poll via HTTP
                                            2002192 ET CHAT MSN status change
                                            2008289 ET CHAT Possible MSN Messenger File Transfer
                                            2009375 ET CHAT General MSN Chat Activity
                                            2009376 ET CHAT MSN User-Agent Activity
                                            2001595 ET CHAT Skype VOIP Checking Version (Startup)
                                            2002157 ET CHAT Skype User-Agent detected
                                            2003022 ET CHAT Skype Bootstrap Node (udp)
                                            2000355 ET CHAT IRC authorization message [stops IRC from working]
                                            2002024 ET CHAT IRC NICK command [stops IRC from working]
                                            2002028 ET CHAT IRC PONG response [stops IRC from working]
                                            2002025 ET CHAT IRC JOIN command [stops IRC from working]
                                            2002026 ET CHAT IRC PRIVMSG command [stops IRC from working]

                                            DISABLED:22

                                            DO NOT USE! > emerging-ciarmy > use pfblocker with: http://www.ciarmy.com/list/ci-badguys.txt

                                            DO NOT USE! > emerging-compromised > use pfblocker with: http://rules.emergingthreats.net/blockrules/compromised-ips.txt

                                            emerging-current_events > all
                                            2014527 ET CURRENT_EVENTS Exploit Kit Delivering Compressed Flash Content to Client <<< Tired of manually cleaning up after this one.

                                            DISABLED:1

                                            emerging-deleted > –-

                                            emerging-dns > all except:
                                            2008446 ET DNS Excessive DNS Responses with 1 or more RR's (100+ in 10 seconds) - possible Cache Poisoning Attempt
                                            2008470 ET DNS Excessive NXDOMAIN responses - Possible DNS Backscatter or Domain Generation Algorithm Lookups
                                            2001117 ET DNS Standard query response, Name Error

                                            DISABLED:3

                                            emerging-dos > all

                                            DISABLED:0

                                            DO NOT USE! > emerging-drop > use pfblocker with: http://list.iblocklist.com/?list=sh_drop&fileformat=p2p

                                            DO NOT USE! > emerging-dshield > use pfblocker with: http://rules.emergingthreats.net/blockrules/compromised-ips.txt

                                            emerging-exploit > all except:
                                            2001058 ET EXPLOIT libpng tRNS overflow attempt
                                            2002913 ET EXPLOIT VNC Client response
                                            2002914 ET EXPLOIT VNC Server VNC Auth Offer
                                            2002919 ET EXPLOIT VNC Good Authentication Reply
                                            2002915 ET EXPLOIT VNC Authentication Reply
                                            2002758 ET EXPLOIT WMF Escape Record Exploit - Version 1
                                            2002742 ET EXPLOIT WMF Escape Record Exploit - Version 3

                                            DISABLED:7

                                            emerging-ftp > all
                                            2010731 ET FTP FTP CWD command attempt without login

                                            DISABLED:1

                                            emerging-games > all

                                            DISABLED:0

                                            emerging-icmp > ---

                                            emerging-icmp_info > ---

                                            emerging-imap > ---

                                            emerging-inappropriate > all except:
                                            2002925 ET INAPPROPRIATE Google Image Search, Safe Mode Off
                                            2001608 ET INAPPROPRIATE Likely Porn

                                            DISABLED:2

                                            emerging-info > all except:
                                            2014472 ET INFO JAVA - Java Archive Download
                                            2014473 ET INFO JAVA - Java Archive Download By Vulnerable Client
                                            2014819 ET INFO Packed Executable Download
                                            2015016 ET INFO FTP STOR to External Network
                                            2015561 ET INFO PDF Using CCITTFax Filter
                                            2015744 ET INFO EXE IsDebuggerPresent (Used in Malware Anti-Debugging)
                                            2016360 ET INFO JAVA - ClassID
                                            2016361 ET INFO JAVA - ClassID
                                            2016404 ET INFO MPEG Download Over HTTP (1)
                                            2015674 ET INFO 3XX redirect to data URL
                                            2016847 ET INFO Possible Chrome Plugin install
                                            2017669 ET INFO Zip File

                                            DISABLED:12

                                            emerging-malware > all except:
                                            2008438 ET MALWARE Possible Windows executable sent when remote host claims to send a Text File
                                            2012228 ET MALWARE Suspicious Russian Content-Language Ru Which May Be Malware Related
                                            2012229 ET MALWARE Suspicious Chinese Content-Language zh-cn Which May be Malware Related

                                            DISABLED:3

                                            emerging-misc > all

                                            DISABLED:0

                                            emerging-mobile_malware > all except:
                                            2012251 ET MOBILE_MALWARE Google Android Device HTTP Request
                                            2012848 ET MOBILE_MALWARE Possible Mobile Malware POST of IMEI International Mobile Equipment Identity in URI

                                            DISABLED:2

                                            emerging-netbios > all

                                            DISABLED:0

                                            emerging-p2p > all except:
                                            2000369 ET P2P BitTorrent Announce
                                            2007727 ET P2P possible torrent download
                                            2008581 ET P2P BitTorrent DHT ping request
                                            2008583 ET P2P BitTorrent DHT nodes reply
                                            2008585 ET P2P BitTorrent DHT announce_peers request
                                            2010144 ET P2P Vuze BT UDP Connection (5)
                                            2011699 ET P2P Bittorrent P2P Client User-Agent (Transmission/1.x)
                                            2016662 ET P2P Possible Bittorrent Activity - Multiple DNS Queries For tracker hosts
                                            2014734 ET P2P BitTorrent - Torrent File Downloaded
                                            2003317 ET P2P Edonkey Search Request (any type file)
                                            2009971 ET P2P eMule KAD Network Hello Request (2)
                                            2013869 ET P2P Torrent Client User-Agent (Solid Core/0.82)

                                            DISABLED:12

                                            emerging-policy > all except:
                                            2000419 ET POLICY PE EXE or DLL Windows file download
                                            2000428 ET POLICY ZIP file download
                                            2001115 ET POLICY MSI (microsoft installer file) download
                                            2003595 ET POLICY exe download via HTTP - Informational
                                            2001898 ET POLICY eBay Bid Placed
                                            2001907 ET POLICY eBay Placing Item for sale
                                            2001908 ET POLICY eBay View Item
                                            2001909 ET POLICY eBay Watch This Item
                                            2003303 ET POLICY FTP Login Attempt (non-anonymous)
                                            2003410 ET POLICY FTP Login Successful
                                            2003121 ET POLICY docs.google.com Activity
                                            2003597 ET POLICY Google Calendar in Use
                                            2002801 ET POLICY Google Desktop User-Agent Detected
                                            2002838 ET POLICY Google Search Appliance browsing the Internet
                                            2000035 ET POLICY Hotmail Inbox Access
                                            2000036 ET POLICY Hotmail Message Access
                                            2000037 ET POLICY Hotmail Compose Message Access
                                            2000038 ET POLICY Hotmail Compose Message Submit
                                            2000039 ET POLICY Hotmail Compose Message Submit Data
                                            2008238 ET POLICY Hotmail Inbox Access
                                            2008239 ET POLICY Hotmail Message Access
                                            2008240 ET POLICY Hotmail Compose Message Access
                                            2008242 ET POLICY Hotmail Access Full Mode
                                            2006408 ET POLICY HTTP Request on Unusual Port Possibly Hostile
                                            2006409 ET POLICY HTTP POST on unusual Port Possibly Hostile
                                            2002330 ET POLICY Google Talk TLS Client Traffic
                                            2002332 ET POLICY Google IM traffic Windows client user sign-on
                                            2002333 ET POLICY Google IM traffic friend invited
                                            2002878 ET POLICY iTunes User Agent
                                            2002722 ET POLICY MP3 File Transfer Outbound
                                            2002723 ET POLICY MP3 File Transfer Inbound
                                            2001114 ET POLICY Mozilla XPI install files download
                                            2001973 ET POLICY SSH Server Banner Detected on Expected Port
                                            2001974 ET POLICY SSH Client Banner Detected on Expected Port
                                            2001975 ET POLICY SSHv2 Server KEX Detected on Expected Port
                                            2001976 ET POLICY SSHv2 Client KEX Detected on Expected Port
                                            2001977 ET POLICY SSHv2 Client New Keys detected on Expected Port
                                            2001978 ET POLICY SSH session in progress on Expected Port
                                            2001979 ET POLICY SSH Server Banner Detected on Unusual Port
                                            2001980 ET POLICY SSH Client Banner Detected on Unusual Port
                                            2001981 ET POLICY SSHv2 Server KEX Detected on Unusual Port
                                            2001982 ET POLICY SSHv2 Client KEX Detected on Unusual Port
                                            2001983 ET POLICY SSHv2 Client New Keys Detected on Unusual Port
                                            2001984 ET POLICY SSH session in progress on Unusual Port
                                            2009001 ET POLICY Login Credentials Possibly Passed in URI
                                            2009004 ET POLICY Login Credentials Possibly Passed in POST Data
                                            2003214 ET POLICY Pingdom.com Monitoring detected
                                            2003215 ET POLICY Pingdom.com Monitoring Node Active
                                            2001669 ET POLICY Proxy GET Request
                                            2001670 ET POLICY Proxy HEAD Request
                                            2001674 ET POLICY Proxy POST Request
                                            2001675 ET POLICY Proxy CONNECT Request
                                            2002922 ET POLICY VNC Authentication Successful
                                            2002920 ET POLICY VNC Authentication Failure
                                            2003026 ET POLICY Known SSL traffic on port 443 being excluded from SSL Alerts
                                            2004598 ET POLICY Known SSL traffic on port 9001 (aol) being excluded from SSL Alerts
                                            2003027 ET POLICY Known SSL traffic on port 8000 being excluded from SSL Alerts
                                            2003028 ET POLICY Known SSL traffic on port 8080 being excluded from SSL Alerts
                                            2003029 ET POLICY Known SSL traffic on port 8200 being excluded from SSL Alerts
                                            2003030 ET POLICY Known SSL traffic on port 8443 being excluded from SSL Alerts
                                            2003033 ET POLICY Known SSL traffic on port 2967 (Symantec) being excluded from SSL Alerts
                                            2003035 ET POLICY Known SSL traffic on port 3128 (proxy) being excluded from SSL Alerts
                                            2003036 ET POLICY Known SSL traffic on port 8080 (proxy) being excluded from SSL Alerts
                                            2003037 ET POLICY Known SSL traffic on port 8292 (Bloomberg) being excluded from SSL Alerts
                                            2003038 ET POLICY Known SSL traffic on port 8294 (Bloomberg) being excluded from SSL Alerts
                                            2003934 ET POLICY Known SSL traffic on port 1521 (Oracle) being excluded from SSL Alerts
                                            2008543 ET POLICY Known SSL traffic on port 995 (imaps) being excluded from SSL Alerts
                                            2003002 ET POLICY TLS/SSL Client Hello on Unusual Port TLS
                                            2003003 ET POLICY TLS/SSL Client Hello on Unusual Port SSLv3
                                            2003004 ET POLICY TLS/SSL Client Hello on Unusual Port Case 2
                                            2003005 ET POLICY TLS/SSL Client Hello on Unusual Port SSLv3
                                            2003006 ET POLICY TLS/SSL Client Key Exchange on Unusual Port
                                            2003007 ET POLICY TLS/SSL Client Key Exchange on Unusual Port SSLv3
                                            2003008 ET POLICY TLS/SSL Client Cipher Set on Unusual Port
                                            2003009 ET POLICY TLS/SSL Client Cipher Set on Unusual Port SSLv3
                                            2003010 ET POLICY TLS/SSL Server Hello on Unusual Port
                                            2003011 ET POLICY TLS/SSL Server Hello on Unusual Port SSLv3
                                            2003012 ET POLICY TLS/SSL Server Certificate Exchange on Unusual Port
                                            2003013 ET POLICY TLS/SSL Server Certificate Exchange on Unusual Port SSLv3
                                            2003014 ET POLICY TLS/SSL Server Key Exchange on Unusual Port
                                            2003015 ET POLICY TLS/SSL Server Key Exchange on Unusual Port SSLv3
                                            2003018 ET POLICY TLS/SSL Server Cipher Set on Unusual Port
                                            2003019 ET POLICY TLS/SSL Server Cipher Set on Unusual Port SSLv3
                                            2003020 ET POLICY TLS/SSL Encrypted Application Data on Unusual Port
                                            2003021 ET POLICY TLS/SSL Encrypted Application Data on Unusual Port SSLv3
                                            2007671 ET POLICY Binary Download Smaller than 1 MB Likely Hostile
                                            2001449 ET POLICY Proxy Connection detected
                                            2002822 ET POLICY Wget User Agent
                                            2002823 ET POLICY POSSIBLE Web Crawl using Wget
                                            2002824 ET POLICY CURL User Agent
                                            2002934 ET POLICY libwww-perl User Agent
                                            2002828 ET POLICY Googlebot User Agent
                                            2002829 ET POLICY Googlebot Crawl
                                            2002830 ET POLICY Msnbot User Agent
                                            2002831 ET POLICY Msnbot Crawl
                                            2002832 ET POLICY Yahoo Crawler User Agent
                                            2002833 ET POLICY Yahoo Crawler Crawl
                                            2010228 ET POLICY Suspicious Microsoft Windows NT 6.1 User-Agent Detected
                                            2002948 ET POLICY External Windows Update in Progress
                                            2002949 ET POLICY Windows Update in Progress
                                            2001402 ET POLICY ZIPPED DOC in transit
                                            2001403 ET POLICY ZIPPED XLS in transit
                                            2001404 ET POLICY ZIPPED EXE in transit
                                            2001405 ET POLICY ZIPPED PPT in transit
                                            2011874 ET POLICY NSPlayer User-Agent Windows Media Player streaming detected
                                            2012647 ET POLICY Dropbox.com Offsite File Backup in Use
                                            2012648 ET POLICY Dropbox Client Broadcasting
                                            2013028 ET POLICY curl User-Agent Outbound
                                            2013030 ET POLICY libwww-perl User-Agent
                                            2013031 ET POLICY Python-urllib/ Suspicious User Agent
                                            2013290 ET POLICY MOBILE Apple device leaking UDID from SpringBoard via GET
                                            2013414 ET POLICY Executable served from Amazon S3
                                            2013458 ET POLICY Facebook Like Button Clicked (1)
                                            2013459 ET POLICY Facebook Like Button Clicked (2)
                                            2013503 ET POLICY OS X Software Update Request Outbound
                                            2013504 ET POLICY GNU/Linux APT User-Agent Outbound likely related to package management
                                            2013505 ET POLICY GNU/Linux YUM User-Agent Outbound likely related to package management
                                            2014297 ET POLICY Vulnerable Java Version 1.7.x Detected
                                            2014313 ET POLICY Executable Download From DropBox
                                            2014919 ET POLICY Microsoft Online Storage Client Hello TLSv1 Possible SkyDrive (1)
                                            2014920 ET POLICY Microsoft Online Storage Client Hello TLSv1 Possible SkyDrive (2)
                                            2017015 ET POLICY DropBox User Content Access over SSL
                                            2001375 ET POLICY Credit Card Number Detected in Clear (16 digit spaced)
                                            2001376 ET POLICY Credit Card Number Detected in Clear (16 digit dashed)
                                            2001377 ET POLICY Credit Card Number Detected in Clear (16 digit)
                                            2001378 ET POLICY Credit Card Number Detected in Clear (15 digit)
                                            2001379 ET POLICY Credit Card Number Detected in Clear (15 digit spaced)
                                            2001380 ET POLICY Credit Card Number Detected in Clear (15 digit dashed)
                                            2001381 ET POLICY Credit Card Number Detected in Clear (14 digit)
                                            2001382 ET POLICY Credit Card Number Detected in Clear (14 digit spaced)
                                            2001383 ET POLICY Credit Card Number Detected in Clear (14 digit dashed)
                                            2009293 ET POLICY Credit Card Number Detected in Clear (15 digit spaced 2)
                                            2009294 ET POLICY Credit Card Number Detected in Clear (15 digit dashed 2)
                                            2001328 ET POLICY SSN Detected in Clear Text (dashed)
                                            2001384 ET POLICY SSN Detected in Clear Text (spaced)
                                            2007971 ET POLICY SSN Detected in Clear Text (SSN )
                                            2007972 ET POLICY SSN Detected in Clear Text (SSN# )
                                            2011854 ET POLICY Java JAR file download
                                            2002749 ET POLICY Unallocated IP Space Traffic - Bogon Nets  <<<<<<<< handled by ticking block bogon networks in interface settings
                                            2002752 ET POLICY Reserved Internal IP Traffic    <<<<<<<<<<<<< handled by ticking block private networks in interface settings
                                            2000418 ET POLICY Executable and linking format (ELF) file download
                                            2002658 ET POLICY EIN in the clear (US-IRS Employer ID Number)
                                            2016877 ET POLICY Unsupported/Fake FireFox Version 2.
                                            2013296 ET POLICY Free SSL Certificate Provider (StartCom Class 1 Primary Intermediate Server CA)
                                            2010815 ET POLICY Incoming Connection Attempt From Amazon EC2 Cloud
                                            2013255 ET POLICY Majestic12 User-Agent Request Inbound
                                            2014726 ET POLICY Outdated Windows Flash Version IE
                                            2012911 ET POLICY URL Contains password Parameter
                                            2011085 ET POLICY HTTP Redirect to IPv4 Address
                                            2009303 ET POLICY MediaFire file download service access
                                            2000356 ET POLICY IRC connection [stops IRC from working, misses a lot of real IRC connections]
                                            2012141 ET POLICY Protocol 41 IPv6 encapsulation potential 6in4 IPv6 tunnel active <<< Breaks IPv6 Tunnels

                                            DISABLED:152

                                            emerging-pop3 > –-

                                            DO NOT USE! > emerging-rbn-malvertisers > use pfblocker with: !!!LIST REMOVED!!! LOOKING FOR SUGGESTIONS

                                            DO NOT USE! > emerging-rbn > use pfblocker with: !!!LIST REMOVED!!! LOOKING FOR SUGGESTIONS

                                            emerging-rpc > ---

                                            emerging-scada > all

                                            DISABLED:0

                                            emerging-scan > all except
                                            2002992 ET SCAN Rapid POP3 Connections - Possible Brute Force Attack
                                            2002993 ET SCAN Rapid POP3S Connections - Possible Brute Force Attack
                                            2002994 ET SCAN Rapid IMAP Connections - Possible Brute Force Attack
                                            2002995 ET SCAN Rapid IMAPS Connections - Possible Brute Force Attack
                                            2011367 ET SCAN TCP Traffic (ET SCAN Malformed Packet SYN FIN)
                                            2000538 ET SCAN NMAP -sA (1) <<< FP when accessing certain sites over IPv6

                                            DISABLED:6

                                            emerging-shellcode > all except
                                            2011803 ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected
                                            2012252 ET SHELLCODE Common 0a0a0a0a Heap Spray String
                                            2012257 ET SHELLCODE Common %0c%0c%0c%0c Heap Spray String
                                            2012510 ET SHELLCODE UTF-8/16 Encoded Shellcode
                                            2013222 ET SHELLCODE Excessive Use of HeapLib Objects Likely Malicious Heap Spray Attempt
                                            2013267 ET SHELLCODE Hex Obfuscated JavaScript Heap Spray 0a0a0a0a
                                            2012256 ET SHELLCODE Common 0c0c0c0c Heap Spray String

                                            DISABLED:7

                                            emerging-smtp > all

                                            DISABLED:0

                                            emerging-snmp > all

                                            DISABLED:0

                                            emerging-sql > all

                                            DISABLED:0

                                            emerging-telnet > all

                                            DISABLED:0

                                            emerging-tftp > all

                                            DISABLED:0

                                            DO NOT USE! > emerging-tor > use pfblocker with http://list.iblocklist.com/?list=tor&fileformat=p2p

                                            emerging-trojan > all except:
                                            2009205 ET TROJAN Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 1)
                                            2009206 ET TROJAN Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 4)
                                            2009207 ET TROJAN Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 5)
                                            2009208 ET TROJAN Possible Downadup/Conficker-C P2P encrypted traffic UDP Ping Packet (bit value 16)
                                            2001046 ET TROJAN UPX compressed file download possible malware
                                            2016950 ET TROJAN Possible Win32/Hupigon ip.txt with a Non-Mozilla UA

                                            DISABLED:6

                                            emerging-user_agents > all except:
                                            2010697 ET USER_AGENTS Suspicious User-Agent Beginning with digits - Likely spyware/trojan

                                            DISABLED:1

                                            emerging-voip > all

                                            DISABLED:0

                                            emerging-web_client > all except
                                            2011347 ET WEB_CLIENT Possible String.FromCharCode Javascript Obfuscation Attempt
                                            2011507 ET WEB_CLIENT PDF With Embedded File
                                            2010518 ET WEB_CLIENT Possible HTTP 404 XSS Attempt (External Source)
                                            2012056 ET WEB_CLIENT Flash Player Flash6.ocx AllowScriptAccess Denial of Service
                                            2012075 ET WEB_CLIENT Possible Internet Explorer CSS Parser Remote Code Execution Attempt
                                            2012119 ET WEB_CLIENT Possible Hex Obfuscation Usage On Webpage
                                            2012205 ET WEB_CLIENT Possible Malicious String.fromCharCode with charCodeAt String
                                            2012266 ET WEB_CLIENT Hex Obfuscation of unescape % Encoding
                                            2012272 ET WEB_CLIENT Hex Obfuscation of eval % Encoding
                                            2012398 ET WEB_CLIENT Hex Obfuscation of replace Javascript Function % Encoding
                                            2010527 ET WEB_CLIENT Possible HTTP 503 XSS Attempt (External Source)
                                            2010931 ET WEB_CLIENT Possible IE iepeers.dll Use-after-free Code Execution Attempt
                                            2011764 ET WEB_CLIENT Possible Microsoft Internet Explorer mshtml.dll Timer ID Memory Pointer Information Disclosure Attempt

                                            DISABLED:13

                                            emerging-web_server > all except
                                            2003099 ET WEB_SERVER Poison Null Byte
                                            2015526 ET WEB_SERVER Fake Googlebot UA 1 Inbound
                                            2015527 ET WEB_SERVER Fake Googlebot UA 2 Inbound
                                            2016676 ET WEB_SERVER SQL Errors in HTTP 200 Response (ORA-)
                                            2016672 ET WEB_SERVER SQL Errors in HTTP 200 Response (error in your SQL syntax)
                                            2009151 ET WEB_SERVER PHP Generic Remote File Include Attempt (HTTP)

                                            DISABLED:5

                                            emerging-web_specific_apps > all except:
                                            2010890 ET WEB_SPECIFIC_APPS phpBB3 registration (Step1 GET)
                                            2010891 ET WEB_SPECIFIC_APPS phpBB3 registration (Step2 POST)
                                            2010892 ET WEB_SPECIFIC_APPS phpBB3 registration (Step3 GET)
                                            2010893 ET WEB_SPECIFIC_APPS phpBB3 registration (Step4 POST)
                                            2003508 ET WEB_SPECIFIC_APPS Wordpress wp-login.php redirect_to credentials stealing attempt

                                            DISABLED:5

                                            emerging-worm > all

                                            DISABLED:0

                                            GPLv2 community rules > all except
                                            254 DNS SPOOF query response with TTL of 1 min. and no authority
                                            384 PROTOCOL-ICMP PING
                                            385 PROTOCOL-ICMP traceroute
                                            399 PROTOCOL-ICMP Destination Unreachable Host Unreachable
                                            402 PROTOCOL-ICMP Destination Unreachable Port Unreachable
                                            408 PROTOCOL-ICMP Echo Reply
                                            540 POLICY-SOCIAL Microsoft MSN message
                                            648 INDICATOR-SHELLCODE x86 NOOP
                                            649 INDICATOR-SHELLCODE x86 setgid 0
                                            1200 INDICATOR-COMPROMISE Invalid URL
                                            1201 INDICATOR-COMPROMISE 403 Forbidden
                                            1292 INDICATOR-COMPROMISE directory listing
                                            1390 INDICATOR-SHELLCODE x86 inc ebx NOOP
                                            1394 INDICATOR-SHELLCODE x86 inc ecx NOOP
                                            1437 FILE-IDENTIFY Microsoft Windows Media download detected
                                            1841 FILE-OTHER Oracle Javascript URL host spoofing attempt
                                            1846 POLICY-MULTIMEDIA vncviewer Java applet download attempt
                                            1852 SERVER-WEBAPP robots.txt access
                                            1986 POLICY-SOCIAL Microsoft MSN outbound file transfer request
                                            1988 POLICY-SOCIAL Microsoft MSN outbound file transfer accept
                                            1989 POLICY-SOCIAL Microsoft MSN outbound file transfer rejected
                                            1990 POLICY-SOCIAL Microsoft MSN user search
                                            1991 POLICY-SOCIAL Microsoft MSN login attempt
                                            2180 PUA-P2P BitTorrent announce request
                                            2181 PUA-P2P BitTorrent transfer
                                            2707 FILE-IMAGE JPEG parser multipacket heap overflow
                                            3463 SERVER-WEBAPP awstats access
                                            25518 OS-OTHER Apple iPod User-Agent detected
                                            25519 OS-OTHER Apple iPad User-Agent detected
                                            25520 OS-OTHER Apple iPhone User-Agent detected
                                            25521 OS-OTHER Android User-Agent detected
                                            25522 OS-OTHER Nokia User-Agent detected
                                            25523 OS-OTHER Samsung User-Agent detected
                                            25524 OS-OTHER Kindle User-Agent detected
                                            25525 OS-OTHER Nintendo User-Agent detected
                                            2417 PROTOCOL-FTP format string attempt
                                            1377 PROTOCOL-FTP wu-ftp bad file completion attempt
                                            1378 PROTOCOL-FTP wu-ftp bad file completion attempt

                                            DISABLED:38

                                            IPS Policy - Security > all except
                                            19436 BROWSER-IE Microsoft Internet Explorer CStyleSheetRule array memory corruption attempt
                                            18196 BROWSER-IE Microsoft Internet Explorer CSS importer use-after-free attempt
                                            16482 BROWSER-IE Microsoft Internet Explorer userdata behavior memory corruption attempt
                                            25459 FILE-PDF Adobe Reader incomplete JP2K image geometry - potentially malicious
                                            16320 WEB-CLIENT Adobe PNG empty sPLT exploit attempt
                                            15975 WEB-CLIENT OpenOffice TIFF file in little endian format parsing integer overflow attempt
                                            15976 WEB-CLIENT OpenOffice TIFF file in big endian format parsing integer overflow attempt
                                            13360 APP-DETECT failed FTP login attempt
                                            23098 FILE-MULTIMEDIA Adobe Flash Player MP4 sequence parameter set parsing overflow attempt
                                            14772 WEB-CLIENT libpng malformed chunk denial of service attempt
                                            29466 FILE-OTHER Corel PDF fusion XPS stack buffer overflow attempt
                                            27948 FILE-OFFICE Microsoft Office Excel rtMergeCells heap overflow attempt
                                            17153 BROWSER-FIREFOX Mozilla Firefox plugin parameter array dangling pointer exploit attempt - 1 <<< Affects systems running the Firefox ActiveX control (firefox 3.6.7). No longer needed, delete upstream.
                                            17154 BROWSER-FIREFOX Mozilla Firefox plugin parameter array dangling pointer exploit attempt - 2 <<< Affects systems running the Firefox ActiveX control (firefox 3.6.7). No longer needed, delete upstream.
                                            19713 BROWSER-FIREFOX Mozilla Array.reduceRight integer overflow <<< Affects Firefox v1.0-4.0.1. No longer needed, delete upstream.
                                            19714 BROWSER-FIREFOX Mozilla Array.reduceRight integer overflow <<< Affects Firefox v1.0-4.0.1. No longer needed, delete upstream.
                                            19321 BROWSER-FIREFOX Mozilla Products nsCSSValue Array Index Integer Overflow  <<< Affects Firefox v3.5.1-3.6.6.  No longer needed, delete upstream.
                                            19292 BROWSER-FIREFOX Mozilla Firefox appendChild use-after-free attempt <<< Affects Firefox v3.5-3.6.9.  No longer needed, delete upstream.
                                            19078 BROWSER-FIREFOX Mozilla Firefox html tag attributes memory corruption <<< Affects Firefox v3.5-3.6.9.  No longer needed, delete upstream.
                                            19077 BROWSER-FIREFOX Mozilla Firefox appendChild use-after-free attempt <<< Affects Firefox v3.5-3.6.9.  No longer needed, delete upstream.
                                            19076 BROWSER-FIREFOX Mozilla Firefox appendChild use-after-free attempt <<< Affects Firefox v3.5-3.6.9.  No longer needed, delete upstream.
                                            17804 BROWSER-FIREFOX Mozilla Firefox html tag attributes memory corruption <<< Affects Firefox v3.5-3.6.9.  No longer needed, delete upstream.
                                            25233 BROWSER-FIREFOX appendChild multiple parent nodes stack corruption attempt <<< Affects Firefox v1.0-3.6.9.  No longer needed, delete upstream.
                                            25232 BROWSER-FIREFOX appendChild multiple parent nodes stack corruption attempt <<< Affects Firefox v1.0-3.6.9.  No longer needed, delete upstream.
                                            25228 BROWSER-FIREFOX Mozilla Firefox iframe and xul element reload crash attempt <<< Affects Firefox v1.0-3.6.9.  No longer needed, delete upstream.
                                            25227 BROWSER-FIREFOX Mozilla Firefox iframe and xul element reload crash attempt <<< Affects Firefox v1.0-3.6.9.  No longer needed, delete upstream.
                                            24994 BROWSER-FIREFOX Mozilla Firefox onChannelRedirect method attempt <<< Affects Firefox v1.0-3.6.9.  No longer needed, delete upstream.
                                            24188 BROWSER-FIREFOX Mozilla Array.reduceRight integer overflow <<< Affects Firefox v1.0-4.0.1.  No longer needed, delete upstream.
                                            24187 BROWSER-FIREFOX Mozilla Array.reduceRight integer overflow <<< Affects Firefox v1.0-4.0.1.  No longer needed, delete upstream.
                                            21363 BROWSER-FIREFOX Mozilla Firefox appendChild use-after-free attempt <<< Affects Firefox v3.5-3.6.9.  No longer needed, delete upstream.
                                            20072 BROWSER-FIREFOX Mozilla Firefox nsTreeRange Use After Free attempt <<< Affects Firefox v1.0-3.6.9.  No longer needed, delete upstream.
                                            16502 BROWSER-FIREFOX Mozilla Firefox WOFF font processing integer overflow attempt - CFF-based <<< Affects Firefox v3.6.  No longer needed, delete upstream.
                                            16501 BROWSER-FIREFOX Mozilla Firefox WOFF font processing integer overflow attempt - TrueType <<< Affects Firefox v3.6.  No longer needed, delete upstream.
                                            29503 BROWSER-FIREFOX Mozilla Products SVG text content element getCharNumAtPosition use after free attempt <<< Affects Firefox v1.0-5.0.  No longer needed, delete upstream.

                                            DISABLED:34

                                            preprocessor.rules > all except (first_column:second_column details)
                                            119:2 HI_CLIENT_DOUBLE_DECODE
                                            119:4 HI_CLIENT_BARE_BYTE
                                            119:7 HI_CLIENT_IIS_UNICODE
                                            119:14 HI_CLIENT_NON_RFC_CHAR
                                            119:31 HI_CLIENT_UNKNOWN_METHOD
                                            119:32 HI_CLIENT_SIMPLE_REQUEST
                                            119:33 HI_CLIENT_UNESCAPED_SPACE_IN_URI <<< FPs all over the place. Especially fun when it bans a cdn's ip. That's when calls start coming in. Fun!
                                            120:2 HI_SERVER_INVALID_STATCODE
                                            120:3 HI_SERVER_NO_CONTLEN
                                            120:4 HI_SERVER_UTF_NORM_FAIL
                                            120:6 HI_SERVER_DECOMPR_FAILED
                                            120:8 HI_CLISRV_MSG_SIZE_EXCEPTION
                                            120:9 HI_SERVER_JS_OBFUSCATION_EXCD
                                            120:10 HI_SERVER_JS_EXCESS_WS
                                            122:1 PSNG_TCP_PORTSCAN
                                            122:4 PSNG_TCP_DISTRIBUTED_PORTSCAN
                                            122:5 PSNG_TCP_FILTERED_PORTSCAN <<< Fires up on our remote monitoring servers
                                            122:17 PSNG_UDP_PORTSCAN
                                            122:20 PSNG_UDP_DISTRIBUTED_PORTSCAN
                                            124:3 SMTP_RESPONSE_OVERFLOW
                                            124:10 SMTP_B64_DECODING_FAILED
                                            124:11 SMTP_QP_DECODING_FAILED <<< FPs seen coming from normal email sources
                                            125:1 FTPP_FTP_TELNET_CMD
                                            125:2 FTPP_FTP_INVALID_CMD
                                            125:7 FTPP_FTP_ENCRYPTED
                                            125:9 FTPP_FTP_EVASIVE_TELNET_CMD
                                            137:1 SSL_INVALID_CLIENT_HELLO
                                            141:1 IMAP_UNKNOWN_CMD <<< pending upstream update
                                            141:2 IMAP_UNKNOWN_RESP <<< pending upstream update
                                            145:2 DNP3_DROPPED_FRAME
                                            DISABLED>>>30

                                            DO NOT USE! > sensitive-data.rules > NONE enabled

                                            Suppression list:

                                            #GLOBAL

                                            gen_id 1

                                            suppress gen_id 1, sig_id 536
                                            suppress gen_id 1, sig_id 653
                                            suppress gen_id 1, sig_id 2452
                                            suppress gen_id 1, sig_id 11192
                                            suppress gen_id 1, sig_id 15306
                                            suppress gen_id 1, sig_id 16313
                                            suppress gen_id 1, sig_id 17458
                                            suppress gen_id 1, sig_id 20583
                                            suppress gen_id 1, sig_id 2000334
                                            suppress gen_id 1, sig_id 2008120
                                            suppress gen_id 1, sig_id 2010516
                                            suppress gen_id 1, sig_id 20122758
                                            suppress gen_id 1, sig_id 2014518
                                            suppress gen_id 1, sig_id 2014520
                                            suppress gen_id 1, sig_id 2100366
                                            suppress gen_id 1, sig_id 2100368
                                            suppress gen_id 1, sig_id 2100651
                                            suppress gen_id 1, sig_id 2101390
                                            suppress gen_id 1, sig_id 2101424
                                            suppress gen_id 1, sig_id 2102314
                                            suppress gen_id 1, sig_id 2103134
                                            suppress gen_id 1, sig_id 2500056
                                            suppress gen_id 1, sig_id 100000230
                                            suppress gen_id 3, sig_id 14772
                                            #(IMAP) Unknown IMAP4 command
                                            suppress gen_id 141, sig_id 1

                                            pfBlocker extra lists:
                                            TYPE LIST
                                            txt http://www.spamhaus.org/drop/drop.txt
                                            txt http://www.spamhaus.org/drop/edrop.txttxt http://www.spamhaus.org/drop/edrop.txt

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.