HELP APPRECIATED with/for snort + squid3 (transparent http/https)

  • @Nachtfalke:


    I am using the snort pkg v3.2.3 package. I am using this package in a home environment and I would be interested in if snort can inspect the https traffic. I have squid running in transparent mode for http and https and this is working. Or is snort only able to inspect the traffic which is not encrypted?

    Thank you for your feedback!

    Was something I was curious on. I had squid setup with snort as you did.

    Ended up removing squid (for now) as was causing too many issues with "some" sites. I DO love the idea of running the a/v (more than need to cache/proxy) to inspect… but I think that was causing "some" of the problems loading "some" sites. I also liked the "realtime" monitoring of traffic as well. It showed the https pages were being included/monitored by squid.

    It also seems the cert config just didn't seem to like "some" sites :-(.

    I DO have the config and ssl cert (that was created) backed up if I want to tackle/try again in future.

    I never could get the error page that intercepts the eicar test page to trigger in either http or https and add to the "count". Never could get pfsense.localdomain entry to adjust to or alias for some reason. Perhaps there is a bug OR I'm missing something. Help appreciated.

    Currently leaving the a/v and separate malware intercept/programs to each computer vs doubling up and trying to intercept before it reaches anyone. I was hoping for that doubled protection as that was the main purpose for installing squid for me. :-(

    PERHAPS, someone will be able to help me troubleshoot/fix the problems with "some" of the sites as well as the ability to load the default error page (it intercepts/stops eicar test file BUT, with NO default message displayed and thus no logging). It loads and does the "count" if I manually change the pfsense.localdomain part of the address in the displayed intercept url and replace it with the so I'm close. I troubleshooted and tried relentlessly but to no avail.

    Perhaps someone has some answers to the problems mentioned and I can tackle it all again. I need the pages to load.

    BTW for reference, was with latest pfsense library/versions for pfsense, squid & snort.


  • Quick question.

    I noticed in my notes I only bound the interface of Lan and I've since have read that Loopback & Lan "both" should be in that spot.

    Could that be my problem with the Squid "eicar" test not loading the default intercept page (althogh did block)… EVEN WHEN I had tried to alias pfsense.localdomain to the ?

    Wondering out loud. Anyone?

    Guess I could experiment and load the old config file that I was using that had squid in it but looking for some feedback.

Log in to reply