after install snort, squidguard (shallalist) not working



  • Hello Guys,

    My environment is pfsense with DNS Forwarder + Squid/SquidGuard + DHCP Relay + VPN + Clamav but recently after install snort IDS/IPS, squidguard not filtering sites by list.

    When i go to Squid Proxy Server -> ACLs and put one URL Domain on Blacklist it works.
    When i stop snort services, no internet.

    Somone can lend me a hand?



  • What version of pfSense are you running and what version of Snort?

    If running Snort on pfSense-2.5 DEVEL, which mode are you using? Legacy Blocking or Inline IPS?

    Stopping Snort really should have no impact on your Internet connection. Can't see how that's related to the Snort package.

    It's more likely you are having either DNS issues or problems with the VPN setup. VPNs have caused users no end of headaches, especially the ones used for "privacy".

    First step in any troubleshooting protocol is to investigate one thing at the time. In your case, disable all of the packages and let the system run that way for some period of time (maybe an hour or maybe a day). See if everything runs smoothly.

    Next, enable just one package from your list. See if the problem occurs.

    Then enable the next package and see if the problem occurs.

    Rinse and repeat until you either positively identify the issue or it fails to manifest itself again.



  • bmeeks thanks for reply me.

    My snort version is 3.2.9.9_1 package dependency 2.9.15, i imagine the issue is around pc memory cause it has just 1,5 Gb (pc test). Before install snort with all packages (DNS Forwarder + Squid/SquidGuard + DHCP Relay + VPN + Clamav) everything was right. SquidGuard was working ok, DNS was working well.

    I think snort works with all packages for one day with 1,5Gb.

    **I Just really have a doubt with one thing. I noticed in this meantime that everything was working with snort packages, the SquidGuard was not Filtering sites by the shallalist, it looks like shallalist was being ignored, at the same moment after snort was installed **

    I think it can be one setting compatibility between squidguard and snort (something simple, i'm new with pfsense)

    1. i know i must have much more memory in this pc.

    2. case (snort and squidguard compatibility) this is really problem?

    Thank you bmeek and everyones whose can help me in this case.



  • My simple fix was to disable all the pdf blocker GEOIP,s and only use DNSBL for blocking Social media with TLD enabled. I use snort pro and with pfsense firewall, I am happy with the security I am getting and all my computers run a good antivirus all windows updates are put in as soon as they come out and I back up everything to NAS and online daily.
    I let all the employees hook up to the Guest wifi so they can listen to Pandora but I want to be able to use facebook. Using the DNSBL my memory usage went from 32% to 45% and everything is working as it should
    https://tracktrace.one/usps/



  • Running all of that with only 1.5 GB of memory is going to be tight. Especially if you enable a large number of Snort rules. I usually advise folks to have 4 GB or more to run Snort with many rules enabled.

    Do you have RAM Disks enabled? I hope not with the small amount of memory you listed. But even if you had 16 GB of memory, I still don't recommend using RAM Disks with either Snort or Suricata. If you don't make the /tmp directory large enough, you will have issues during updates.

    Do you have Snort enabled in blocking mode? If so, check to see what alerts and blocks you may be receiving and evaluate them to see if they are false positives. If you are new to using Snort, I recommend that you do not enable blocking mode initially. Instead, run in non-blocking mode for at least one week and maybe even an entire month to get a feel for the types of traffic your network sees and the Snort alerts that result. You can then make decisions to fine-tune your rule set. Only after that is done should you enable blocking mode.

    And can you be a bit more specific by what you mean when you say "When i stop snort services, no internet.". Does that mean you have no connection at all and can't even ping an IP address, or does that mean domain name lookups (DNS resolution) fails?

    For example, when you say the Internet fails have you tried to see if this command works?

    ping 8.8.8.8
    

    If that command works and you can ping Google's server by IP, then try this command.

    ping google.com
    

    If that one fails but the first one succeeds, then you have a DNS resolution issue.



  • Hello bmeeks and everybody

    Thank so much for your patience to reply me,

    my settings for snort is:

    wan_categories7.jpg wan_categories6.jpg wan_categories5.jpg wan_categories4.jpg wan_categories3.jpg wan_categories2.jpg wan_categories1.jpg bl_off_snort.jpg

    When you talking about... "Do you have Snort enabled in blocking mode?", you're talking about if "Blocking Offenders" are checked? Yes!

    The internet works if snort and the other packages:

    my settings for squid is:

    proxy_squid.jpg

    when i put any domain on squid proxy blacklist:

    blacklist1.jpg

    The websites are blocked by squid (not SquidGuard)

    ign_bloqueado.jpg

    Without blacklist on squid:

    blacklist_off.jpg

    ign_desbloqueado.jpg

    The real issue is the SquidGuard not Working:

    squidguard_go_acl2.jpg squidguard_go_acl.jpg squidguard_common_acl.jpg SquidGuard Filter Enable.jpg

    As you see Everything are enable on SquidGuard, the blocked list (shallalist) is ok. But it looks like SquidGuard being ignored after snort installation.

    All services are running:

    services_running.jpg



  • Sorry, but I can't help you with Squid or SquidGuard. Never used either package on pfSense.

    Your Snort rules look OK, but you might be a little tight on memory.


Log in to reply