Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort 2.9.2.3 pkg v. 2.5.0 Issues

    Scheduled Pinned Locked Moved pfSense Packages
    331 Posts 38 Posters 289.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S Offline
      Supermule Banned
      last edited by

      ¨Whitelist in Snort…you create an alias and use that as whitelist. IP adresses listed in this doesnt get respected if on the WAN side. Local servers are fine, but external IP doesnt get whitelisted.

      1 Reply Last reply Reply Quote 0
      • S Offline
        Supermule Banned
        last edited by

        Nope…

        @ermal:

        I fixed the missing file issue by just adding the checks.

        Supermule you can already sort afaik in the gui by clcking on the headers, no?

        1 Reply Last reply Reply Quote 0
        • bmeeksB Offline
          bmeeks
          last edited by

          @ermal:

          I fixed the missing file issue by just adding the checks.

          Supermule you can already sort afaik in the gui by clcking on the headers, no?

          Hi Ermal:

          By my count, there were four places in the code where this potential issue existed.  Three in snort.inc, and one in snort_check_for_rule_updates.php.  They are in the following functions:

          snort_build_sid_msg_map()
          snort_load_rules_map()
          snort_generate_conf()
          snort_apply_customizations()

          Bill

          1 Reply Last reply Reply Quote 0
          • I Offline
            iFloris
            last edited by

            Have been following this closely & This is awesome. Thanks bmeeks!

            one layer of information
            removed

            1 Reply Last reply Reply Quote 0
            • bmeeksB Offline
              bmeeks
              last edited by

              @iFloris:

              Have been following this closely & This is awesome. Thanks bmeeks!

              No problem.  Enjoyed tinkering with the code and trying to make Snort work even better.

              I submitted a small batch of changes last evening that Ermal and team merged to fix the remaining glitches with the missing files warning messages, and to make sure that flowbit rules get included (if enabled) during the initial Rules Update after a re-install or a fresh install.  These last fixes should make the package 100% functional.  Please post if any other bugs show up.

              There are some outstanding to-do features/improvements on my list.  Supermule and others have posted some of them in this thread such as some problems with external IP whitelisting surviving reboots, column sorting, etc.  A move to the Snort 2.9.4.x binary is needed as well, but I have some more to learn about how binary packages are built and tested with the pfSense platform.

              Bill

              1 Reply Last reply Reply Quote 0
              • S Offline
                Supermule Banned
                last edited by

                No problems Bill!

                I think you should work closely with Ermal to get this going asap! Combine talents :)

                1 Reply Last reply Reply Quote 0
                • K Offline
                  kilthro
                  last edited by

                  I grabbed the update and prior to the update i had no issues. after this update and redloading rules I am getting this error when i try to start snort.

                  Jan 24 10:23:46 snort[24008]: FATAL ERROR: Failed to load /usr/local/lib/snort/dynamicrules/bad-traffic.so: /usr/local/lib/snort/dynamicrules/bad-traffic.so: Undefined symbol "freeRuleData"
                  Jan 24 10:23:46 snort[24008]: FATAL ERROR: Failed to load /usr/local/lib/snort/dynamicrules/bad-traffic.so: /usr/local/lib/snort/dynamicrules/bad-traffic.so: Undefined symbol "freeRuleData"

                  Not sure why this is appearing now. Any ideas?

                  1 Reply Last reply Reply Quote 0
                  • K Offline
                    kilthro
                    last edited by

                    I ended up uninstalling the package and searching for all snort related items and deleting them. I set it up fresh and all seems to be working ok now.. Not sure what was going on.

                    1 Reply Last reply Reply Quote 0
                    • S Offline
                      Supermule Banned
                      last edited by

                      It seems that the reinstall is broken somehow, but a fresh install works.

                      Its almost worse than windows :D

                      1 Reply Last reply Reply Quote 0
                      • bmeeksB Offline
                        bmeeks
                        last edited by

                        @kilthro:

                        I ended up uninstalling the package and searching for all snort related items and deleting them. I set it up fresh and all seems to be working ok now.. Not sure what was going on.

                        Yes, this a partially documented problem.  I say "partially" because there is some mention of it in some previous threads here on the forum from the summer of 2012.

                        It seems to be a problem with the package manager tools used to install, un-install and re-install packages.  During a re-install of an existing package, some symbolic links or something don't get properly cleaned up.  I'm not sure about the details.  Others more cognizant of the inner workings of FreeBSD have explained it better.

                        The workaround is to always do an uninstall of a package, and then install it again so it is the same as a fresh install.  That works.

                        1 Reply Last reply Reply Quote 0
                        • RonpfSR Offline
                          RonpfS
                          last edited by

                          Maybe update the package Description "Snort is an open source network intrusion prevention and detection system (IDS/IPS). Combining the benefits of signature, protocol, and anomaly-based inspection. "
                          to mention  not to re-install ;)

                          2.4.5-RELEASE-p1 (amd64)
                          Intel Core2 Quad CPU Q8400 @ 2.66GHz 8GB
                          Backup 0.5_5, Bandwidthd 0.7.4_4, Cron 0.3.7_5, pfBlockerNG-devel 3.0.0_16, Status_Traffic_Totals 2.3.1_1, System_Patches 1.2_5

                          1 Reply Last reply Reply Quote 0
                          • bmeeksB Offline
                            bmeeks
                            last edited by

                            @RonpfS:

                            Maybe update the package Description "Snort is an open source network intrusion prevention and detection system (IDS/IPS). Combining the benefits of signature, protocol, and anomaly-based inspection. "
                            to mention  not to re-install ;)

                            Would be better, in my opinion, if the re-install just worked correctly. I'm no BSD guru, but I will take a look and see if maybe the Snort uninstall code is doing something weird to hose itself on the subsequent re-install.  No promises on this one, though.  I'm definitely a newb with FreeBSD deep down under-the-hood magic.

                            1 Reply Last reply Reply Quote 0
                            • S Offline
                              Supermule Banned
                              last edited by

                              Is it possible when you release a IP in the "Alerts" section, then its added to a whitelist?

                              The "Blocked" list can be added without alias and it would be nice to have a simple list there instead of creating a very long alias list….

                              1 Reply Last reply Reply Quote 0
                              • bmeeksB Offline
                                bmeeks
                                last edited by

                                @Supermule:

                                Is it possible when you release a IP in the "Alerts" section, then its added to a whitelist?

                                Are you talking about clicking the little "+" icon that adds the GID:SID to the Suppression List, or what do you mean by "release an IP"?  Perhaps an example will help me undestand this question better.

                                @Supermule:

                                The "Blocked" list can be added without alias and it would be nice to have a simple list there instead of creating a very long alias list….

                                I think you're asking here to be able to directly add an IP address instead of having to jump through the hoops of creating an alias under the Firewall tab.  Is this correct?  If yes, then I believe this can be easily accomplished.

                                Bill

                                1 Reply Last reply Reply Quote 0
                                • S Offline
                                  Supermule Banned
                                  last edited by

                                  This is the Alerts tab…

                                  Clicking and releasing the source IP of an alert automatically adds it to a whitelist.

                                  ![alerts_whitelist IP.jpg](/public/imported_attachments/1/alerts_whitelist IP.jpg)
                                  ![alerts_whitelist IP.jpg_thumb](/public/imported_attachments/1/alerts_whitelist IP.jpg_thumb)

                                  1 Reply Last reply Reply Quote 0
                                  • S Offline
                                    Supermule Banned
                                    last edited by

                                    This is the Suppress tab.

                                    A lot easier to add entries as IP's here than adding an alias.

                                    So could the alias list become the same "look" as the suppress tab?

                                    Would make the entry a lot easier.

                                    suppress.jpg
                                    suppress.jpg_thumb

                                    1 Reply Last reply Reply Quote 0
                                    • S Offline
                                      Supermule Banned
                                      last edited by

                                      So in short, clicking the "release" icon in alerts tab, insert it in the suppress page with SID and SRC IP.

                                      1 Reply Last reply Reply Quote 0
                                      • bmeeksB Offline
                                        bmeeks
                                        last edited by

                                        @Supermule:

                                        So in short, clicking the "release" icon in alerts tab, insert it in the suppress page with SID and SRC IP.

                                        I understand now.  Thanks for the explanation and screen shots.  I will add it to my list of stuff.

                                        By the way, I have the RULES tab scrolling issue solved you asked about, but I'm not 100% happy with the result.  I will wait and collect up a batch of improvements before posting another Pull Request for Ermal, but I have this working in my testing box.  After clicking the icon to enable or disable a SID, when the page returns, it scrolls the last clicked SID to the top of the page.  The ugly part is, for now, it's scrolling the headers and other stuff above the list of rules up out of view.  I have some ideas to make that prettier:  if I can get the Javascript working for me.

                                        1 Reply Last reply Reply Quote 0
                                        • S Offline
                                          Supermule Banned
                                          last edited by

                                          Allright! Let me know if I shall test something!

                                          1 Reply Last reply Reply Quote 0
                                          • RonpfSR Offline
                                            RonpfS
                                            last edited by

                                            Once again Snort blocked the renewed WAN IP while it was restarting.

                                            The block happen at 2013-01-26 00:52:58

                                            So fxp0 get DOWN, and UP.
                                            Snort start.
                                            A new IP is acquired before snort finishes. At some point the WAN IP is triggering a block
                                            Have to go to Web Interface to remove the block.

                                            Probably in real life, the WAN IP being blocked would trigger a WAN IP down and a reconnect after a while so things might fall back to normal without user intervention.

                                            
                                            2013-01-26 00:48:54	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: authorization failed
                                            2013-01-26 00:48:54	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: parameter negotiation failed
                                            2013-01-26 00:48:54	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: state change Opened --> Stopping
                                            2013-01-26 00:48:54	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: SendTerminateReq #33
                                            2013-01-26 00:48:54	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: LayerDown
                                            2013-01-26 00:48:54	Daemon.Info	172.24.42.254	ppp: [wan_link0] rec'd proto PAP during terminate phase
                                            2013-01-26 00:48:54	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: rec'd Terminate Request #16 (Stopping)
                                            2013-01-26 00:48:54	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: SendTerminateAck #34
                                            2013-01-26 00:48:54	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: rec'd Terminate Ack #33 (Stopping)
                                            2013-01-26 00:48:54	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: state change Stopping --> Stopped
                                            2013-01-26 00:48:54	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: LayerFinish
                                            2013-01-26 00:48:54	Daemon.Info	172.24.42.254	ppp: [wan_link0] PPPoE: connection closed
                                            2013-01-26 00:48:54	Daemon.Info	172.24.42.254	ppp: [wan_link0] Link: DOWN event
                                            2013-01-26 00:48:54	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: Down event
                                            2013-01-26 00:48:54	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: state change Stopped --> Starting
                                            2013-01-26 00:48:54	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: LayerStart
                                            2013-01-26 00:48:54	Daemon.Info	172.24.42.254	ppp: [wan_link0] Link: reconnection attempt 5 in 1 seconds
                                            2013-01-26 00:48:54	Local0.Info	172.24.42.254	pf: 00:00:13.500188 rule 2/0(match): block out on lo0: (tos 0x0, ttl 127, id 19195, offset 0, flags [DF], proto TCP (6), length 40)
                                            2013-01-26 00:48:54	Local0.Info	172.24.42.254	pf:     172.24.48.32.18447 > 85.159.232.71.16559: Flags [R.], cksum 0xdbf7 (correct), seq 4, ack 1, win 0, length 0
                                            2013-01-26 00:48:54	Local0.Info	172.24.42.254	pf: 00:00:00.711106 rule 2/0(match): block out on lo0: (tos 0x0, ttl 127, id 19199, offset 0, flags [DF], proto TCP (6), length 1462)
                                            2013-01-26 00:48:54	Local0.Info	172.24.42.254	pf:     172.24.48.32.18447 > 50.21.136.80.57268: Flags [P.], ack 1, win 64282, length 1422
                                            2013-01-26 00:48:55	Daemon.Info	172.24.42.254	ppp: [wan_link0] Link: reconnection attempt 5
                                            2013-01-26 00:48:55	Daemon.Info	172.24.42.254	ppp: [wan_link0] PPPoE: Connecting to ''
                                            2013-01-26 00:48:58	Local0.Info	172.24.42.254	pf: 00:00:03.656082 rule 2/0(match): block out on lo0: (tos 0x0, ttl 127, id 19224, offset 0, flags [DF], proto TCP (6), length 40)
                                            2013-01-26 00:48:58	Local0.Info	172.24.42.254	pf:     172.24.48.32.18447 > 69.200.231.126.54005: Flags [R.], cksum 0x6dcd (correct), seq 4, ack 1, win 0, length 0
                                            2013-01-26 00:49:04	Daemon.Info	172.24.42.254	ppp: [wan_link0] PPPoE connection timeout after 9 seconds
                                            2013-01-26 00:49:04	Daemon.Info	172.24.42.254	ppp: [wan_link0] Link: DOWN event
                                            2013-01-26 00:49:04	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: Down event
                                            2013-01-26 00:49:04	Daemon.Info	172.24.42.254	ppp: [wan_link0] Link: reconnection attempt 6 in 4 seconds
                                            2013-01-26 00:49:05	Local0.Info	172.24.42.254	pf: 00:00:07.367220 rule 2/0(match): block out on lo0: (tos 0x0, ttl 127, id 19321, offset 0, flags [DF], proto TCP (6), length 40)
                                            2013-01-26 00:49:05	Local0.Info	172.24.42.254	pf:     172.24.48.32.18447 > 175.136.38.76.57162: Flags [R.], cksum 0xde42 (correct), seq 4, ack 1, win 0, length 0
                                            2013-01-26 00:49:06	Local0.Info	172.24.42.254	pf: 00:00:00.414099 rule 2/0(match): block out on lo0: (tos 0x0, ttl 127, id 19327, offset 0, flags [DF], proto TCP (6), length 58)
                                            2013-01-26 00:49:06	Local0.Info	172.24.42.254	pf:     172.24.48.32.18447 > 182.53.13.45.47411: Flags [P.], cksum 0x4716 (correct), ack 1, win 258, length 18
                                            2013-01-26 00:49:08	Daemon.Info	172.24.42.254	ppp: [wan_link0] Link: reconnection attempt 6
                                            2013-01-26 00:49:08	Daemon.Info	172.24.42.254	ppp: [wan_link0] PPPoE: Connecting to ''
                                            2013-01-26 00:49:08	Daemon.Info	172.24.42.254	ppp: PPPoE: rec'd ACNAME "bas10-montreal02"
                                            2013-01-26 00:49:08	Daemon.Info	172.24.42.254	ppp: [wan_link0] PPPoE: connection successful
                                            2013-01-26 00:49:08	Daemon.Info	172.24.42.254	ppp: [wan_link0] Link: UP event
                                            2013-01-26 00:49:08	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: Up event
                                            2013-01-26 00:49:08	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: state change Starting --> Req-Sent
                                            2013-01-26 00:49:08	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: SendConfigReq #35
                                            2013-01-26 00:49:08	Daemon.Info	172.24.42.254	ppp: [wan_link0]   PROTOCOMP
                                            2013-01-26 00:49:08	Daemon.Info	172.24.42.254	ppp: [wan_link0]   MRU 1492
                                            2013-01-26 00:49:08	Daemon.Info	172.24.42.254	ppp: [wan_link0]   MAGICNUM 508b1152
                                            2013-01-26 00:49:09	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: rec'd Configure Request #119 (Req-Sent)
                                            2013-01-26 00:49:09	Daemon.Info	172.24.42.254	ppp: [wan_link0]   MRU 1492
                                            2013-01-26 00:49:09	Daemon.Info	172.24.42.254	ppp: [wan_link0]   AUTHPROTO PAP
                                            2013-01-26 00:49:09	Daemon.Info	172.24.42.254	ppp: [wan_link0]   MAGICNUM 7e193a28
                                            2013-01-26 00:49:09	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: SendConfigAck #119
                                            2013-01-26 00:49:09	Daemon.Info	172.24.42.254	ppp: [wan_link0]   MRU 1492
                                            2013-01-26 00:49:09	Daemon.Info	172.24.42.254	ppp: [wan_link0]   AUTHPROTO PAP
                                            2013-01-26 00:49:09	Daemon.Info	172.24.42.254	ppp: [wan_link0]   MAGICNUM 7e193a28
                                            2013-01-26 00:49:09	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: state change Req-Sent --> Ack-Sent
                                            2013-01-26 00:49:09	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: rec'd Configure Ack #35 (Ack-Sent)
                                            2013-01-26 00:49:09	Daemon.Info	172.24.42.254	ppp: [wan_link0]   PROTOCOMP
                                            2013-01-26 00:49:09	Daemon.Info	172.24.42.254	ppp: [wan_link0]   MRU 1492
                                            2013-01-26 00:49:09	Daemon.Info	172.24.42.254	ppp: [wan_link0]   MAGICNUM 508b1152
                                            2013-01-26 00:49:09	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: state change Ack-Sent --> Opened
                                            2013-01-26 00:49:09	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: auth: peer wants PAP, I want nothing
                                            2013-01-26 00:49:09	Daemon.Info	172.24.42.254	ppp: [wan_link0] PAP: using authname "blablabla"
                                            2013-01-26 00:49:09	Daemon.Info	172.24.42.254	ppp: [wan_link0] PAP: sending REQUEST #1 len: 31
                                            2013-01-26 00:49:09	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: LayerUp
                                            2013-01-26 00:49:09	Local0.Info	172.24.42.254	pf: 00:00:03.593613 rule 2/0(match): block out on lo0: (tos 0x0, ttl 127, id 19353, offset 0, flags [DF], proto TCP (6), length 40)
                                            2013-01-26 00:49:09	Local0.Info	172.24.42.254	pf:     172.24.48.32.18447 > 46.116.44.44.63832: Flags [R.], cksum 0x00e4 (correct), seq 4, ack 1, win 0, length 0
                                            2013-01-26 00:49:11	Daemon.Info	172.24.42.254	ppp: [wan_link0] PAP: using authname "blablabla"
                                            2013-01-26 00:49:11	Daemon.Info	172.24.42.254	ppp: [wan_link0] PAP: sending REQUEST #2 len: 31
                                            2013-01-26 00:49:13	Daemon.Info	172.24.42.254	ppp: [wan_link0] PAP: using authname "blablabla"
                                            2013-01-26 00:49:13	Daemon.Info	172.24.42.254	ppp: [wan_link0] PAP: sending REQUEST #3 len: 31
                                            2013-01-26 00:49:13	Local0.Info	172.24.42.254	pf: 00:00:03.614018 rule 2/0(match): block out on lo0: (tos 0x0, ttl 127, id 11881, offset 0, flags [DF], proto TCP (6), length 40)
                                            2013-01-26 00:49:13	Local0.Info	172.24.42.254	pf:     172.24.48.84.58311 > 199.16.156.104.80: Flags [R.], cksum 0x87e3 (correct), seq 1, ack 1, win 0, length 0
                                            2013-01-26 00:49:15	Daemon.Info	172.24.42.254	ppp: [wan_link0] PAP: using authname "blablabla"
                                            2013-01-26 00:49:15	Daemon.Info	172.24.42.254	ppp: [wan_link0] PAP: sending REQUEST #4 len: 31
                                            2013-01-26 00:49:17	Auth.Emerg	172.24.42.254	php: /index.php: Successful webConfigurator login for user 'admin' from 172.24.48.84
                                            2013-01-26 00:49:17	Daemon.Info	172.24.42.254	ppp: [wan_link0] PAP: using authname "blablabla"
                                            2013-01-26 00:49:17	Daemon.Info	172.24.42.254	ppp: [wan_link0] PAP: sending REQUEST #5 len: 31
                                            2013-01-26 00:49:27	Local0.Info	172.24.42.254	pf: 00:00:14.515424 rule 2/0(match): block out on lo0: (tos 0x0, ttl 127, id 19543, offset 0, flags [DF], proto TCP (6), length 40)
                                            2013-01-26 00:49:27	Local0.Info	172.24.42.254	pf:     172.24.48.32.18447 > 182.53.13.45.47411: Flags [F.], cksum 0x6825 (correct), seq 18, ack 1, win 258, length 0
                                            2013-01-26 00:49:29	Daemon.Info	172.24.42.254	ppp: Multi-link PPP daemon for FreeBSD
                                            2013-01-26 00:49:29	Daemon.Info	172.24.42.254	ppp:
                                            2013-01-26 00:49:29	Daemon.Info	172.24.42.254	ppp: process 15018 started, version 5.5 (root@FreeBSD_8.0_pfSense_2.0-snaps.pfsense.org 10:25 12-Oct-2011)
                                            2013-01-26 00:49:29	Daemon.Info	172.24.42.254	ppp: waiting for process 318 to die...
                                            2013-01-26 00:49:29	Daemon.Info	172.24.42.254	ppp: caught fatal signal term
                                            2013-01-26 00:49:29	Daemon.Info	172.24.42.254	ppp: [wan] IFACE: Close event
                                            2013-01-26 00:49:29	Daemon.Info	172.24.42.254	ppp: [wan] IPCP: Close event
                                            2013-01-26 00:49:31	Daemon.Info	172.24.42.254	ppp: [wan] Bundle: Shutdown
                                            2013-01-26 00:49:31	Daemon.Notice	172.24.42.254	snort[20356]: Can't acquire (-1) - The interface went down!
                                            2013-01-26 00:49:31	Kernel.Info	172.24.42.254	kernel: pppoe1: promiscuous mode disabled
                                            2013-01-26 00:49:31	Daemon.Info	172.24.42.254	ppp: [wan_link0] Link: Shutdown
                                            2013-01-26 00:49:31	Daemon.Info	172.24.42.254	ppp: process 318 terminated
                                            2013-01-26 00:49:32	Daemon.Info	172.24.42.254	ppp: last message repeated 2 times
                                            2013-01-26 00:49:32	Daemon.Info	172.24.42.254	ppp: web: web is not running
                                            2013-01-26 00:49:32	Daemon.Info	172.24.42.254	ppp: [wan] Bundle: Interface ng0 created
                                            2013-01-26 00:49:32	Daemon.Info	172.24.42.254	ppp: [wan_link0] Link: OPEN event
                                            2013-01-26 00:49:32	Kernel.Info	172.24.42.254	kernel: ng0: changing name to 'pppoe1'
                                            2013-01-26 00:49:32	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: Open event
                                            2013-01-26 00:49:32	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: state change Initial --> Starting
                                            2013-01-26 00:49:32	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: LayerStart
                                            2013-01-26 00:49:32	Daemon.Info	172.24.42.254	ppp: [wan_link0] PPPoE: Connecting to ''
                                            2013-01-26 00:49:32	Daemon.Notice	172.24.42.254	snort[20356]: ===============================================================================
                                            2013-01-26 00:49:32	Daemon.Notice	172.24.42.254	snort[20356]: Packet I/O Totals:
                                            
                                            ...
                                            
                                            2013-01-26 00:49:33	Daemon.Notice	172.24.42.254	snort[20356]: Snort exiting
                                            2013-01-26 00:49:41	Daemon.Info	172.24.42.254	ppp: [wan_link0] PPPoE connection timeout after 9 seconds
                                            2013-01-26 00:49:41	Daemon.Info	172.24.42.254	ppp: [wan_link0] Link: DOWN event
                                            2013-01-26 00:49:41	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: Down event
                                            2013-01-26 00:49:41	Daemon.Info	172.24.42.254	ppp: [wan_link0] Link: reconnection attempt 1 in 3 seconds
                                            2013-01-26 00:49:44	Daemon.Info	172.24.42.254	ppp: [wan_link0] Link: reconnection attempt 1
                                            2013-01-26 00:49:44	Daemon.Info	172.24.42.254	ppp: [wan_link0] PPPoE: Connecting to ''
                                            ...
                                            
                                            2013-01-26 00:49:50	Daemon.Info	172.24.42.254	ppp: PPPoE: rec'd ACNAME "bas10-montreal02"
                                            2013-01-26 00:49:50	Daemon.Info	172.24.42.254	ppp: [wan_link0] PPPoE: connection successful
                                            2013-01-26 00:49:50	Daemon.Info	172.24.42.254	ppp: [wan_link0] Link: UP event
                                            2013-01-26 00:49:50	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: Up event
                                            2013-01-26 00:49:50	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: state change Starting --> Req-Sent
                                            2013-01-26 00:49:50	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: SendConfigReq #1
                                            2013-01-26 00:49:50	Daemon.Info	172.24.42.254	ppp: [wan_link0]   PROTOCOMP
                                            2013-01-26 00:49:50	Daemon.Info	172.24.42.254	ppp: [wan_link0]   MRU 1492
                                            2013-01-26 00:49:50	Daemon.Info	172.24.42.254	ppp: [wan_link0]   MAGICNUM b58c9236
                                            2013-01-26 00:49:50	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: rec'd Configure Request #49 (Req-Sent)
                                            2013-01-26 00:49:50	Daemon.Info	172.24.42.254	ppp: [wan_link0]   MRU 1492
                                            2013-01-26 00:49:50	Daemon.Info	172.24.42.254	ppp: [wan_link0]   AUTHPROTO PAP
                                            2013-01-26 00:49:50	Daemon.Info	172.24.42.254	ppp: [wan_link0]   MAGICNUM 0938ff39
                                            2013-01-26 00:49:50	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: SendConfigAck #49
                                            2013-01-26 00:49:50	Daemon.Info	172.24.42.254	ppp: [wan_link0]   MRU 1492
                                            2013-01-26 00:49:50	Daemon.Info	172.24.42.254	ppp: [wan_link0]   AUTHPROTO PAP
                                            2013-01-26 00:49:50	Daemon.Info	172.24.42.254	ppp: [wan_link0]   MAGICNUM 0938ff39
                                            2013-01-26 00:49:50	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: state change Req-Sent --> Ack-Sent
                                            2013-01-26 00:49:50	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: rec'd Configure Ack #1 (Ack-Sent)
                                            2013-01-26 00:49:50	Daemon.Info	172.24.42.254	ppp: [wan_link0]   PROTOCOMP
                                            2013-01-26 00:49:50	Daemon.Info	172.24.42.254	ppp: [wan_link0]   MRU 1492
                                            2013-01-26 00:49:50	Daemon.Info	172.24.42.254	ppp: [wan_link0]   MAGICNUM b58c9236
                                            2013-01-26 00:49:50	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: state change Ack-Sent --> Opened
                                            2013-01-26 00:49:50	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: auth: peer wants PAP, I want nothing
                                            2013-01-26 00:49:50	Daemon.Info	172.24.42.254	ppp: [wan_link0] PAP: using authname "blablabla"
                                            2013-01-26 00:49:50	Daemon.Info	172.24.42.254	ppp: [wan_link0] PAP: sending REQUEST #1 len: 31
                                            2013-01-26 00:49:50	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: LayerUp
                                            2013-01-26 00:49:52	Daemon.Info	172.24.42.254	ppp: [wan_link0] PAP: using authname "blablabla"
                                            2013-01-26 00:49:52	Daemon.Info	172.24.42.254	ppp: [wan_link0] PAP: sending REQUEST #2 len: 31
                                            2013-01-26 00:49:54	Daemon.Info	172.24.42.254	ppp: [wan_link0] PAP: using authname "blablabla"
                                            2013-01-26 00:49:54	Daemon.Info	172.24.42.254	ppp: [wan_link0] PAP: sending REQUEST #3 len: 31
                                            2013-01-26 00:49:54	Local0.Info	172.24.42.254	pf: 00:00:26.839787 rule 2/0(match): block out on lo0: (tos 0x0, ttl 127, id 19860, offset 0, flags [DF], proto TCP (6), length 1462)
                                            2013-01-26 00:49:54	Local0.Info	172.24.42.254	pf:     172.24.48.32.18447 > 50.21.136.80.57268: Flags [P.], ack 1, win 64282, length 1422
                                            2013-01-26 00:49:56	Daemon.Info	172.24.42.254	ppp: [wan_link0] PAP: using authname "blablabla"
                                            2013-01-26 00:49:56	Daemon.Info	172.24.42.254	ppp: [wan_link0] PAP: sending REQUEST #4 len: 31
                                            2013-01-26 00:49:58	Daemon.Info	172.24.42.254	ppp: [wan_link0] PAP: using authname "blablabla"
                                            2013-01-26 00:49:58	Daemon.Info	172.24.42.254	ppp: [wan_link0] PAP: sending REQUEST #5 len: 31
                                            2013-01-26 00:50:00	Cron.Info	172.24.42.254	/usr/sbin/cron[60577]: (root) CMD (/usr/bin/nice -n20 /usr/local/bin/php -f /usr/local/pkg/snort/snort_check_cron_misc.inc)
                                            2013-01-26 00:50:06	Local0.Info	172.24.42.254	pf: 00:00:11.449275 rule 2/0(match): block out on lo0: (tos 0x0, ttl 127, id 19990, offset 0, flags [DF], proto TCP (6), length 58)
                                            2013-01-26 00:50:06	Local0.Info	172.24.42.254	pf:     172.24.48.32.18447 > 182.53.13.45.47411: Flags [FP.], cksum 0x4715 (correct), seq 0:18, ack 1, win 258, length 18
                                            2013-01-26 00:50:30	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: authorization timer expired
                                            2013-01-26 00:50:30	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: authorization failed
                                            2013-01-26 00:50:30	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: parameter negotiation failed
                                            2013-01-26 00:50:30	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: state change Opened --> Stopping
                                            2013-01-26 00:50:30	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: SendTerminateReq #2
                                            2013-01-26 00:50:30	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: LayerDown
                                            2013-01-26 00:50:30	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: rec'd Terminate Ack #2 (Stopping)
                                            2013-01-26 00:50:30	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: state change Stopping --> Stopped
                                            2013-01-26 00:50:30	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: LayerFinish
                                            2013-01-26 00:50:30	Daemon.Info	172.24.42.254	ppp: [wan_link0] PPPoE: connection closed
                                            2013-01-26 00:50:30	Daemon.Info	172.24.42.254	ppp: [wan_link0] Link: DOWN event
                                            2013-01-26 00:50:30	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: Down event
                                            2013-01-26 00:50:30	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: state change Stopped --> Starting
                                            2013-01-26 00:50:30	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: LayerStart
                                            2013-01-26 00:50:30	Daemon.Info	172.24.42.254	ppp: [wan_link0] Link: reconnection attempt 2 in 4 seconds
                                            2013-01-26 00:50:34	Daemon.Info	172.24.42.254	ppp: [wan_link0] Link: reconnection attempt 2
                                            2013-01-26 00:50:34	Daemon.Info	172.24.42.254	ppp: [wan_link0] PPPoE: Connecting to ''
                                            2013-01-26 00:50:43	Daemon.Info	172.24.42.254	ppp: [wan_link0] PPPoE connection timeout after 9 seconds
                                            2013-01-26 00:50:43	Daemon.Info	172.24.42.254	ppp: [wan_link0] Link: DOWN event
                                            2013-01-26 00:50:43	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: Down event
                                            2013-01-26 00:50:43	Daemon.Info	172.24.42.254	ppp: [wan_link0] Link: reconnection attempt 3 in 1 seconds
                                            2013-01-26 00:50:44	Daemon.Info	172.24.42.254	ppp: [wan_link0] Link: reconnection attempt 3
                                            2013-01-26 00:50:44	Daemon.Info	172.24.42.254	ppp: [wan_link0] PPPoE: Connecting to ''
                                            2013-01-26 00:50:53	Daemon.Info	172.24.42.254	ppp: [wan_link0] PPPoE connection timeout after 9 seconds
                                            2013-01-26 00:50:53	Daemon.Info	172.24.42.254	ppp: [wan_link0] Link: DOWN event
                                            2013-01-26 00:50:53	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: Down event
                                            2013-01-26 00:50:53	Daemon.Info	172.24.42.254	ppp: [wan_link0] Link: reconnection attempt 4 in 1 seconds
                                            2013-01-26 00:50:54	Daemon.Info	172.24.42.254	ppp: [wan_link0] Link: reconnection attempt 4
                                            2013-01-26 00:50:54	Daemon.Info	172.24.42.254	ppp: [wan_link0] PPPoE: Connecting to ''
                                            2013-01-26 00:51:03	Daemon.Info	172.24.42.254	ppp: [wan_link0] PPPoE connection timeout after 9 seconds
                                            2013-01-26 00:51:03	Daemon.Info	172.24.42.254	ppp: [wan_link0] Link: DOWN event
                                            2013-01-26 00:51:03	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: Down event
                                            2013-01-26 00:51:03	Daemon.Info	172.24.42.254	ppp: [wan_link0] Link: reconnection attempt 5 in 2 seconds
                                            2013-01-26 00:51:05	Daemon.Info	172.24.42.254	ppp: [wan_link0] Link: reconnection attempt 5
                                            2013-01-26 00:51:05	Daemon.Info	172.24.42.254	ppp: [wan_link0] PPPoE: Connecting to ''
                                            2013-01-26 00:51:05	Daemon.Info	172.24.42.254	ppp: PPPoE: rec'd ACNAME "bas10-montreal02"
                                            2013-01-26 00:51:05	Daemon.Info	172.24.42.254	ppp: [wan_link0] PPPoE: connection successful
                                            2013-01-26 00:51:05	Daemon.Info	172.24.42.254	ppp: [wan_link0] Link: UP event
                                            2013-01-26 00:51:05	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: Up event
                                            2013-01-26 00:51:05	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: state change Starting --> Req-Sent
                                            2013-01-26 00:51:05	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: SendConfigReq #3
                                            2013-01-26 00:51:05	Daemon.Info	172.24.42.254	ppp: [wan_link0]   PROTOCOMP
                                            2013-01-26 00:51:05	Daemon.Info	172.24.42.254	ppp: [wan_link0]   MRU 1492
                                            2013-01-26 00:51:05	Daemon.Info	172.24.42.254	ppp: [wan_link0]   MAGICNUM 5baa10da
                                            2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: rec'd Configure Request #124 (Req-Sent)
                                            2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan_link0]   MRU 1492
                                            2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan_link0]   AUTHPROTO PAP
                                            2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan_link0]   MAGICNUM 547556ca
                                            2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: SendConfigAck #124
                                            2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan_link0]   MRU 1492
                                            2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan_link0]   AUTHPROTO PAP
                                            2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan_link0]   MAGICNUM 547556ca
                                            2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: state change Req-Sent --> Ack-Sent
                                            2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: rec'd Configure Ack #3 (Ack-Sent)
                                            2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan_link0]   PROTOCOMP
                                            2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan_link0]   MRU 1492
                                            2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan_link0]   MAGICNUM 5baa10da
                                            2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: state change Ack-Sent --> Opened
                                            2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: auth: peer wants PAP, I want nothing
                                            2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan_link0] PAP: using authname "blablabla"
                                            2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan_link0] PAP: sending REQUEST #1 len: 31
                                            2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: LayerUp
                                            2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: rec'd Configure Request #1 (Opened)
                                            2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan_link0]   MRU 1462
                                            2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan_link0]   AUTHPROTO PAP
                                            2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan_link0]   MAGICNUM 547556ca
                                            2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: LayerDown
                                            2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: SendConfigReq #4
                                            2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan_link0]   PROTOCOMP
                                            2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan_link0]   MRU 1492
                                            2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan_link0]   MAGICNUM 5baa10da
                                            2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: SendConfigAck #1
                                            2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan_link0]   MRU 1462
                                            2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan_link0]   AUTHPROTO PAP
                                            2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan_link0]   MAGICNUM 547556ca
                                            2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: state change Opened --> Ack-Sent
                                            2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: rec'd Configure Ack #4 (Ack-Sent)
                                            2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan_link0]   PROTOCOMP
                                            2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan_link0]   MRU 1492
                                            2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan_link0]   MAGICNUM 5baa10da
                                            2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: state change Ack-Sent --> Opened
                                            2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: auth: peer wants PAP, I want nothing
                                            2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan_link0] PAP: using authname "blablabla"
                                            2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan_link0] PAP: sending REQUEST #1 len: 31
                                            2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: LayerUp
                                            2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan_link0] PAP: rec'd ACK #1 len: 5
                                            2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: authorization successful
                                            2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan_link0] Link: Matched action 'bundle "wan" ""'
                                            2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan_link0] Link: Join bundle "wan"
                                            2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan] Bundle: Status update: up 1 link, total bandwidth 64000 bps
                                            2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan] IPCP: Open event
                                            2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan] IPCP: state change Initial --> Starting
                                            2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan] IPCP: LayerStart
                                            2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan] IPCP: Up event
                                            2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan] IPCP: state change Starting --> Req-Sent
                                            2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan] IPCP: SendConfigReq #1
                                            2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan]   IPADDR 0.0.0.0
                                            2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan]   COMPPROTO VJCOMP, 16 comp. channels, no comp-cid
                                            2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan]   PRIDNS 0.0.0.0
                                            2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan]   SECDNS 0.0.0.0
                                            2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan] IPCP: rec'd Configure Request #0 (Req-Sent)
                                            2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan]   IPADDR 10.249.0.3
                                            2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan]     10.249.0.3 is OK
                                            2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan] IPCP: SendConfigAck #0
                                            2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan]   IPADDR 10.249.0.3
                                            2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan] IPCP: state change Req-Sent --> Ack-Sent
                                            2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan] IPCP: rec'd Configure Reject #1 (Ack-Sent)
                                            2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan]   COMPPROTO VJCOMP, 16 comp. channels, no comp-cid
                                            2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan] IPCP: SendConfigReq #2
                                            2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan]   IPADDR 0.0.0.0
                                            2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan]   PRIDNS 0.0.0.0
                                            2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan]   SECDNS 0.0.0.0
                                            2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan] IPCP: rec'd Configure Nak #2 (Ack-Sent)
                                            2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan]   IPADDR 50.21.131.246
                                            2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan]     50.21.131.246 is OK
                                            2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan]   PRIDNS 10.249.0.3
                                            2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan]   SECDNS 24.226.147.201
                                            2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan] IPCP: SendConfigReq #3
                                            2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan]   IPADDR 50.21.131.246
                                            2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan]   PRIDNS 10.249.0.3
                                            2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan]   SECDNS 24.226.147.201
                                            2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan] IPCP: rec'd Configure Ack #3 (Ack-Sent)
                                            2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan]   IPADDR 50.21.131.246
                                            2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan]   PRIDNS 10.249.0.3
                                            2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan]   SECDNS 24.226.147.201
                                            2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan] IPCP: state change Ack-Sent --> Opened
                                            2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan] IPCP: LayerUp
                                            2013-01-26 00:51:06	Daemon.Info	172.24.42.254	ppp: [wan]   50.21.131.246 -> 10.249.0.3
                                            2013-01-26 00:51:07	Local0.Info	172.24.42.254	pf: 00:01:00.004327 rule 2/0(match): block out on lo0: (tos 0x0, ttl 127, id 20475, offset 0, flags [DF], proto TCP (6), length 40)
                                            2013-01-26 00:51:07	Local0.Info	172.24.42.254	pf:     172.24.48.32.18447 > 182.53.13.45.47411: Flags [R.], cksum 0x6923 (correct), seq 19, ack 1, win 0, length 0
                                            2013-01-26 00:51:07	User.Notice	172.24.42.254	check_reload_status: Rewriting resolv.conf
                                            2013-01-26 00:51:08	User.Notice	172.24.42.254	check_reload_status: rc.newwanip starting pppoe1
                                            2013-01-26 00:51:08	Daemon.Info	172.24.42.254	ppp: [wan] IFACE: Up event
                                            2013-01-26 00:51:13	User.Warning	172.24.42.254	php: : rc.newwanip: Informational is starting pppoe1.
                                            2013-01-26 00:51:13	User.Warning	172.24.42.254	php: : rc.newwanip: on (IP address: 50.21.131.246) (interface: wan) (real interface: pppoe1).
                                            2013-01-26 00:51:13	User.Warning	172.24.42.254	php: : ROUTING: setting default route to 10.249.0.3
                                            2013-01-26 00:51:13	User.Error	172.24.42.254	apinger: Exiting on signal 15.
                                            2013-01-26 00:51:13	Daemon.Info	172.24.42.254	dnsmasq[63143]: reading /etc/resolv.conf
                                            2013-01-26 00:51:13	Daemon.Info	172.24.42.254	dnsmasq[63143]: using nameserver 24.226.147.201#53
                                            2013-01-26 00:51:13	Daemon.Info	172.24.42.254	dnsmasq[63143]: using nameserver 10.249.0.3#53
                                            2013-01-26 00:51:13	Daemon.Warning	172.24.42.254	dnsmasq[63143]: ignoring nameserver 127.0.0.1 - local interface
                                            2013-01-26 00:51:13	User.Notice	172.24.42.254	check_reload_status: Linkup starting fxp0
                                            2013-01-26 00:51:13	Kernel.Notice	172.24.42.254	kernel: fxp0: link state changed to DOWN
                                            2013-01-26 00:51:14	User.Notice	172.24.42.254	check_reload_status: Reloading filter
                                            2013-01-26 00:51:14	User.Error	172.24.42.254	apinger: Starting Alarm Pinger, apinger(34208)
                                            2013-01-26 00:51:19	User.Warning	172.24.42.254	php: : Resyncing OpenVPN instances for interface WAN.
                                            2013-01-26 00:51:19	User.Warning	172.24.42.254	php: : Creating rrd update script
                                            2013-01-26 00:51:20	Daemon.Info	172.24.42.254	ntpd[21789]: Terminating
                                            2013-01-26 00:51:20	User.Warning	172.24.42.254	php: : The command '/usr/bin/killall 'ntpd'' returned exit code '1', the output was 'killall: warning: kill -TERM 20534: No such process'
                                            2013-01-26 00:51:24	User.Error	172.24.42.254	apinger: ALARM: WAN(10.249.0.3)  *** down ***
                                            2013-01-26 00:51:34	User.Notice	172.24.42.254	check_reload_status: Reloading filter
                                            2013-01-26 00:51:35	User.Warning	172.24.42.254	php: : OpenNTPD is starting up.
                                            2013-01-26 00:51:35	User.Warning	172.24.42.254	php: : pfSense package system has detected an ip change 50.21.133.25 ->   ... Restarting packages.
                                            2013-01-26 00:51:35	User.Notice	172.24.42.254	check_reload_status: Starting packages
                                            2013-01-26 00:51:38	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: no reply to 1 echo request(s)
                                            2013-01-26 00:51:40	User.Warning	172.24.42.254	php: : Restarting/Starting all packages.
                                            2013-01-26 00:51:48	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: no reply to 2 echo request(s)
                                            2013-01-26 00:51:50	User.Notice	172.24.42.254	check_reload_status: Syncing firewall
                                            2013-01-26 00:51:50	User.Notice	172.24.42.254	check_reload_status: Reloading filter
                                            2013-01-26 00:51:50	User.Warning	172.24.42.254	php: : [pfblocker] pfblocker_xmlrpc_sync.php is starting.
                                            2013-01-26 00:51:51	User.Notice	172.24.42.254	check_reload_status: Syncing firewall
                                            2013-01-26 00:51:51	User.Notice	172.24.42.254	check_reload_status: Reloading filter
                                            2013-01-26 00:51:51	User.Warning	172.24.42.254	php: : [pfblocker] pfblocker_xmlrpc_sync.php is starting.
                                            2013-01-26 00:51:51	User.Warning	172.24.42.254	php: : [pfblocker] pfblocker_xmlrpc_sync.php is starting.
                                            2013-01-26 00:51:51	User.Notice	172.24.42.254	check_reload_status: Linkup starting fxp0
                                            2013-01-26 00:51:51	Kernel.Notice	172.24.42.254	kernel: fxp0: link state changed to UP
                                            2013-01-26 00:51:52	User.Warning	172.24.42.254	php: : [pfblocker] pfblocker_xmlrpc_sync.php is starting.
                                            2013-01-26 00:51:58	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: no reply to 3 echo request(s)
                                            2013-01-26 00:52:07	Daemon.Info	172.24.42.254	SnortStartup[27729]: Snort STOP For Wan Snort(18203_pppoe1)...
                                            2013-01-26 00:52:08	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: no reply to 4 echo request(s)
                                            2013-01-26 00:52:09	Daemon.Info	172.24.42.254	SnortStartup[29350]: Snort STOP For Lan(53096_bridge0)...
                                            2013-01-26 00:52:09	Cron.Info	172.24.42.254	/usr/sbin/cron[30517]: (CRON) DEATH (cron already running, pid: 35579)
                                            2013-01-26 00:52:09	Daemon.Notice	172.24.42.254	snort[31229]: Found pid path directive (/var/run)
                                            2013-01-26 00:52:09	Daemon.Notice	172.24.42.254	snort[31229]: Running in IDS mode
                                            2013-01-26 00:52:09	Daemon.Notice	172.24.42.254	snort[31229]:
                                            2013-01-26 00:52:09	Daemon.Notice	172.24.42.254	snort[31229]:         --== Initializing Snort ==--
                                            2013-01-26 00:52:09	Daemon.Notice	172.24.42.254	snort[31229]: Initializing Output Plugins!
                                            2013-01-26 00:52:09	Daemon.Notice	172.24.42.254	snort[31229]: Initializing Preprocessors!
                                            2013-01-26 00:52:09	Daemon.Notice	172.24.42.254	snort[31229]: Initializing Plug-ins!
                                            
                                            ...
                                            
                                            2013-01-26 00:52:10	Daemon.Notice	172.24.42.254	snort[31229]:       Gzip Decompress Depth: 65535
                                            2013-01-26 00:52:10	Daemon.Error	172.24.42.254	snort[21578]: *** Caught Term-Signal
                                            2013-01-26 00:52:10	Daemon.Notice	172.24.42.254	snort[31229]:     DEFAULT SERVER CONFIG:
                                            2013-01-26 00:52:10	Kernel.Info	172.24.42.254	kernel: bridge0: promiscuous mode disabled
                                            2013-01-26 00:52:10	Daemon.Notice	172.24.42.254	snort[31229]:       Server profile: All
                                            2013-01-26 00:52:10	Daemon.Notice	172.24.42.254	snort[31229]:       Ports (PAF): 80 901 3128 8080 9000
                                            2013-01-26 00:52:10	Daemon.Notice	172.24.42.254	snort[31229]:       Server Flow Depth: 300
                                            
                                            ...
                                            
                                            2013-01-26 00:52:11	Daemon.Notice	172.24.42.254	snort[21578]:         Server seg reassembled: 0
                                            2013-01-26 00:52:11	Daemon.Notice	172.24.42.254	snort[21578]: ===============================================================================
                                            2013-01-26 00:52:11	Daemon.Error	172.24.42.254	snort[21578]: Could not remove pid file /var/run/snort_bridge053096.pid: No such file or directory
                                            2013-01-26 00:52:11	Daemon.Notice	172.24.42.254	snort[21578]: Snort exiting
                                            2013-01-26 00:52:14	User.Error	172.24.42.254	apinger: Error while feeding rrdtool: Broken pipe
                                            2013-01-26 00:52:18	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: no reply to 5 echo request(s)
                                            2013-01-26 00:52:18	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: peer not responding to echo requests
                                            2013-01-26 00:52:18	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: state change Opened --> Stopping
                                            2013-01-26 00:52:18	Daemon.Info	172.24.42.254	ppp: [wan_link0] Link: Leave bundle "wan"
                                            2013-01-26 00:52:18	Daemon.Info	172.24.42.254	ppp: [wan] Bundle: Status update: up 0 links, total bandwidth 9600 bps
                                            2013-01-26 00:52:18	Daemon.Info	172.24.42.254	ppp: [wan] IPCP: Close event
                                            2013-01-26 00:52:18	Daemon.Info	172.24.42.254	ppp: [wan] IPCP: state change Opened --> Closing
                                            2013-01-26 00:52:18	Daemon.Info	172.24.42.254	ppp: [wan] IPCP: SendTerminateReq #4
                                            2013-01-26 00:52:18	Daemon.Info	172.24.42.254	ppp: [wan] IPCP: LayerDown
                                            2013-01-26 00:52:18	User.Notice	172.24.42.254	ppp-linkdown: Removing states from 50.21.131.246/32
                                            2013-01-26 00:52:18	User.Notice	172.24.42.254	ppp-linkdown: Removing states to 10.249.0.3
                                            2013-01-26 00:52:18	User.Notice	172.24.42.254	check_reload_status: Rewriting resolv.conf
                                            2013-01-26 00:52:18	Daemon.Info	172.24.42.254	ppp: [wan] IFACE: Down event
                                            2013-01-26 00:52:18	Daemon.Info	172.24.42.254	ppp: [wan] IPCP: Down event
                                            2013-01-26 00:52:18	Daemon.Info	172.24.42.254	ppp: [wan] IPCP: LayerFinish
                                            2013-01-26 00:52:18	Daemon.Info	172.24.42.254	ppp: [wan] Bundle: No NCPs left. Closing links...
                                            2013-01-26 00:52:18	Daemon.Info	172.24.42.254	ppp: [wan] IPCP: state change Closing --> Initial
                                            2013-01-26 00:52:18	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: SendTerminateReq #5
                                            2013-01-26 00:52:18	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: LayerDown
                                            2013-01-26 00:52:20	User.Notice	172.24.42.254	check_reload_status: Linkup starting fxp0
                                            
                                            2013-01-26 00:52:20	Kernel.Notice	172.24.42.254	kernel: fxp0: link state changed to DOWN
                                            2013-01-26 00:52:20	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: SendTerminateReq #6
                                            2013-01-26 00:52:21	User.Notice	172.24.42.254	check_reload_status: Linkup starting fxp0
                                            2013-01-26 00:52:21	Kernel.Notice	172.24.42.254	kernel: fxp0: link state changed to UP
                                            
                                            2013-01-26 00:52:22	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: state change Stopping --> Stopped
                                            2013-01-26 00:52:22	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: LayerFinish
                                            2013-01-26 00:52:22	Daemon.Info	172.24.42.254	ppp: [wan_link0] PPPoE: connection closed
                                            2013-01-26 00:52:22	Daemon.Info	172.24.42.254	ppp: [wan_link0] Link: DOWN event
                                            2013-01-26 00:52:22	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: Down event
                                            2013-01-26 00:52:22	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: state change Stopped --> Starting
                                            2013-01-26 00:52:22	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: LayerStart
                                            2013-01-26 00:52:22	Daemon.Info	172.24.42.254	ppp: [wan_link0] Link: reconnection attempt 1 in 2 seconds
                                            2013-01-26 00:52:24	Daemon.Info	172.24.42.254	ppp: [wan_link0] Link: reconnection attempt 1
                                            2013-01-26 00:52:24	Daemon.Info	172.24.42.254	ppp: [wan_link0] PPPoE: Connecting to ''
                                            2013-01-26 00:52:26	Daemon.Info	172.24.42.254	dnsmasq[63143]: reading /etc/resolv.conf
                                            2013-01-26 00:52:26	Daemon.Warning	172.24.42.254	dnsmasq[63143]: ignoring nameserver 127.0.0.1 - local interface
                                            2013-01-26 00:52:26	Daemon.Notice	172.24.42.254	snort[31229]: 12108 Snort rules read
                                            2013-01-26 00:52:26	Daemon.Notice	172.24.42.254	snort[31229]:     11703 detection rules
                                            2013-01-26 00:52:26	Daemon.Notice	172.24.42.254	snort[31229]:     142 decoder rules
                                            2013-01-26 00:52:26	Daemon.Notice	172.24.42.254	snort[31229]:     263 preprocessor rules
                                            2013-01-26 00:52:26	Daemon.Notice	172.24.42.254	snort[31229]: 12108 Option Chains linked into 1615 Chain Headers
                                            2013-01-26 00:52:26	Daemon.Notice	172.24.42.254	snort[31229]: 0 Dynamic rules
                                            2013-01-26 00:52:26	Daemon.Notice	172.24.42.254	snort[31229]: +++++++++++++++++++++++++++++++++++++++++++++++++++
                                            
                                            ...
                                            
                                            2013-01-26 00:52:29	Daemon.Notice	172.24.42.254	snort[31229]: WARNING: flowbits key 'ET.MSSQL' is checked but not ever set.
                                            2013-01-26 00:52:29	Daemon.Notice	172.24.42.254	snort[31229]: WARNING: flowbits key 'file.cws' is checked but not ever set.
                                            2013-01-26 00:52:29	Daemon.Notice	172.24.42.254	snort[31229]: 110 out of 1024 flowbits in use.
                                            2013-01-26 00:52:33	Daemon.Info	172.24.42.254	ppp: [wan_link0] PPPoE connection timeout after 9 seconds
                                            2013-01-26 00:52:33	Daemon.Info	172.24.42.254	ppp: [wan_link0] Link: DOWN event
                                            2013-01-26 00:52:33	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: Down event
                                            2013-01-26 00:52:33	Daemon.Info	172.24.42.254	ppp: [wan_link0] Link: reconnection attempt 2 in 2 seconds
                                            2013-01-26 00:52:35	Daemon.Info	172.24.42.254	ppp: [wan_link0] Link: reconnection attempt 2
                                            2013-01-26 00:52:35	Daemon.Info	172.24.42.254	ppp: [wan_link0] PPPoE: Connecting to ''
                                            2013-01-26 00:52:35	Daemon.Notice	172.24.42.254	snort[31229]:
                                            2013-01-26 00:52:35	Daemon.Notice	172.24.42.254	snort[31229]: [ Port Based Pattern Matching Memory ]
                                            2013-01-26 00:52:35	Daemon.Notice	172.24.42.254	snort[31229]: +-[AC-BNFA Search Info Summary]------------------------------
                                            2013-01-26 00:52:35	Daemon.Notice	172.24.42.254	snort[31229]: | Instances        : 638
                                            2013-01-26 00:52:35	Daemon.Notice	172.24.42.254	snort[31229]: | Patterns         : 58364
                                            2013-01-26 00:52:35	Daemon.Notice	172.24.42.254	snort[31229]: | Pattern Chars    : 678018
                                            2013-01-26 00:52:35	Daemon.Notice	172.24.42.254	snort[31229]: | Num States       : 461596
                                            2013-01-26 00:52:35	Daemon.Notice	172.24.42.254	snort[31229]: | Num Match States : 51355
                                            2013-01-26 00:52:35	Daemon.Notice	172.24.42.254	snort[31229]: | Memory           :   10.77Mbytes
                                            2013-01-26 00:52:35	Daemon.Notice	172.24.42.254	snort[31229]: |   Patterns       :   1.98M
                                            2013-01-26 00:52:35	Daemon.Notice	172.24.42.254	snort[31229]: |   Match Lists    :   2.79M
                                            2013-01-26 00:52:35	Daemon.Notice	172.24.42.254	snort[31229]: |   Transitions    :   5.84M
                                            2013-01-26 00:52:35	Daemon.Notice	172.24.42.254	snort[31229]: +-------------------------------------------------
                                            2013-01-26 00:52:35	Daemon.Notice	172.24.42.254	snort[31229]: [ Number of patterns truncated to 20 bytes: 8688 ]
                                            2013-01-26 00:52:35	Daemon.Notice	172.24.42.254	snort[31229]: [ Number of null byte prefixed patterns trimmed: 4422 ]
                                            2013-01-26 00:52:35	Daemon.Notice	172.24.42.254	snort[31229]: pcap DAQ configured to passive.
                                            2013-01-26 00:52:35	Daemon.Notice	172.24.42.254	snort[31229]: The DAQ version does not support reload.
                                            2013-01-26 00:52:35	Daemon.Notice	172.24.42.254	snort[31229]: Acquiring network traffic from "pppoe1".
                                            2013-01-26 00:52:35	Daemon.Notice	172.24.42.254	snort[31229]: Initializing daemon mode
                                            2013-01-26 00:52:36	Daemon.Notice	172.24.42.254	snort[1448]: Daemon initialized, signaled parent pid: 31229
                                            2013-01-26 00:52:36	Daemon.Notice	172.24.42.254	snort[1448]: Reload thread starting...
                                            2013-01-26 00:52:36	Daemon.Notice	172.24.42.254	snort[1448]: Reload thread started, thread 0x3d39a040 (1448)
                                            2013-01-26 00:52:36	Daemon.Info	172.24.42.254	SnortStartup[1617]: Snort START For Wan Snort(18203_pppoe1)...
                                            2013-01-26 00:52:36	Kernel.Info	172.24.42.254	kernel: pppoe1: promiscuous mode enabled
                                            2013-01-26 00:52:36	Daemon.Notice	172.24.42.254	snort[1448]: Decoding LoopBack
                                            2013-01-26 00:52:36	Daemon.Notice	172.24.42.254	snort[1448]: Checking PID path...
                                            2013-01-26 00:52:36	Daemon.Notice	172.24.42.254	snort[1448]: PID path stat checked out ok, PID path set to /var/run
                                            2013-01-26 00:52:36	Daemon.Notice	172.24.42.254	snort[1448]: Writing PID "1448" to file "/var/run/snort_pppoe118203.pid"
                                            2013-01-26 00:52:36	Daemon.Notice	172.24.42.254	snort[1448]:
                                            2013-01-26 00:52:36	Daemon.Notice	172.24.42.254	snort[1448]:         --== Initialization Complete ==--
                                            2013-01-26 00:52:36	Daemon.Notice	172.24.42.254	snort[1448]: Commencing packet processing (pid=1448)
                                            2013-01-26 00:52:37	Daemon.Info	172.24.42.254	ppp: PPPoE: rec'd ACNAME "bas10-montreal02"
                                            2013-01-26 00:52:37	Daemon.Info	172.24.42.254	ppp: [wan_link0] PPPoE: connection successful
                                            2013-01-26 00:52:37	Daemon.Info	172.24.42.254	ppp: [wan_link0] Link: UP event
                                            2013-01-26 00:52:37	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: Up event
                                            2013-01-26 00:52:37	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: state change Starting --> Req-Sent
                                            2013-01-26 00:52:37	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: SendConfigReq #7
                                            2013-01-26 00:52:37	Daemon.Info	172.24.42.254	ppp: [wan_link0]   PROTOCOMP
                                            2013-01-26 00:52:37	Daemon.Info	172.24.42.254	ppp: [wan_link0]   MRU 1492
                                            2013-01-26 00:52:37	Daemon.Info	172.24.42.254	ppp: [wan_link0]   MAGICNUM d3681604
                                            2013-01-26 00:52:37	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: rec'd Configure Request #77 (Req-Sent)
                                            2013-01-26 00:52:37	Daemon.Info	172.24.42.254	ppp: [wan_link0]   MRU 1492
                                            2013-01-26 00:52:37	Daemon.Info	172.24.42.254	ppp: [wan_link0]   AUTHPROTO PAP
                                            2013-01-26 00:52:37	Daemon.Info	172.24.42.254	ppp: [wan_link0]   MAGICNUM 6bcdb8c1
                                            2013-01-26 00:52:37	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: SendConfigAck #77
                                            2013-01-26 00:52:37	Daemon.Info	172.24.42.254	ppp: [wan_link0]   MRU 1492
                                            2013-01-26 00:52:37	Daemon.Info	172.24.42.254	ppp: [wan_link0]   AUTHPROTO PAP
                                            2013-01-26 00:52:37	Daemon.Info	172.24.42.254	ppp: [wan_link0]   MAGICNUM 6bcdb8c1
                                            2013-01-26 00:52:37	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: state change Req-Sent --> Ack-Sent
                                            2013-01-26 00:52:37	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: rec'd Configure Ack #7 (Ack-Sent)
                                            2013-01-26 00:52:37	Daemon.Info	172.24.42.254	ppp: [wan_link0]   PROTOCOMP
                                            2013-01-26 00:52:37	Daemon.Info	172.24.42.254	ppp: [wan_link0]   MRU 1492
                                            2013-01-26 00:52:37	Daemon.Info	172.24.42.254	ppp: [wan_link0]   MAGICNUM d3681604
                                            2013-01-26 00:52:37	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: state change Ack-Sent --> Opened
                                            2013-01-26 00:52:37	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: auth: peer wants PAP, I want nothing
                                            2013-01-26 00:52:37	Daemon.Info	172.24.42.254	ppp: [wan_link0] PAP: using authname "blablabla"
                                            2013-01-26 00:52:37	Daemon.Info	172.24.42.254	ppp: [wan_link0] PAP: sending REQUEST #1 len: 31
                                            2013-01-26 00:52:37	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: LayerUp
                                            2013-01-26 00:52:38	Daemon.Notice	172.24.42.254	snort[2994]: Found pid path directive (/var/run)
                                            2013-01-26 00:52:38	Daemon.Notice	172.24.42.254	snort[2994]: Running in IDS mode
                                            2013-01-26 00:52:38	Daemon.Notice	172.24.42.254	snort[2994]:
                                            2013-01-26 00:52:38	Daemon.Notice	172.24.42.254	snort[2994]:         --== Initializing Snort ==--
                                            2013-01-26 00:52:38	Daemon.Notice	172.24.42.254	snort[2994]: Initializing Output Plugins!
                                            2013-01-26 00:52:38	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: rec'd Configure Request #1 (Opened)
                                            2013-01-26 00:52:38	Daemon.Info	172.24.42.254	ppp: [wan_link0]   MRU 1462
                                            2013-01-26 00:52:38	Daemon.Info	172.24.42.254	ppp: [wan_link0]   AUTHPROTO PAP
                                            2013-01-26 00:52:38	Daemon.Info	172.24.42.254	ppp: [wan_link0]   MAGICNUM 6bcdb8c1
                                            2013-01-26 00:52:38	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: LayerDown
                                            2013-01-26 00:52:38	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: SendConfigReq #8
                                            2013-01-26 00:52:38	Daemon.Info	172.24.42.254	ppp: [wan_link0]   PROTOCOMP
                                            2013-01-26 00:52:38	Daemon.Info	172.24.42.254	ppp: [wan_link0]   MRU 1492
                                            2013-01-26 00:52:38	Daemon.Info	172.24.42.254	ppp: [wan_link0]   MAGICNUM d3681604
                                            2013-01-26 00:52:38	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: SendConfigAck #1
                                            2013-01-26 00:52:38	Daemon.Info	172.24.42.254	ppp: [wan_link0]   MRU 1462
                                            2013-01-26 00:52:38	Daemon.Info	172.24.42.254	ppp: [wan_link0]   AUTHPROTO PAP
                                            2013-01-26 00:52:38	Daemon.Info	172.24.42.254	ppp: [wan_link0]   MAGICNUM 6bcdb8c1
                                            2013-01-26 00:52:38	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: state change Opened --> Ack-Sent
                                            2013-01-26 00:52:38	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: rec'd Configure Ack #8 (Ack-Sent)
                                            2013-01-26 00:52:38	Daemon.Info	172.24.42.254	ppp: [wan_link0]   PROTOCOMP
                                            2013-01-26 00:52:38	Daemon.Info	172.24.42.254	ppp: [wan_link0]   MRU 1492
                                            2013-01-26 00:52:38	Daemon.Info	172.24.42.254	ppp: [wan_link0]   MAGICNUM d3681604
                                            2013-01-26 00:52:38	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: state change Ack-Sent --> Opened
                                            2013-01-26 00:52:38	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: auth: peer wants PAP, I want nothing
                                            2013-01-26 00:52:38	Daemon.Info	172.24.42.254	ppp: [wan_link0] PAP: using authname "blablabla"
                                            2013-01-26 00:52:38	Daemon.Info	172.24.42.254	ppp: [wan_link0] PAP: sending REQUEST #1 len: 31
                                            2013-01-26 00:52:38	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: LayerUp
                                            2013-01-26 00:52:38	Daemon.Notice	172.24.42.254	snort[2994]: Initializing Preprocessors!
                                            2013-01-26 00:52:38	Daemon.Notice	172.24.42.254	snort[2994]: Initializing Plug-ins!
                                            2013-01-26 00:52:38	Daemon.Notice	172.24.42.254	snort[2994]: Parsing Rules file "/usr/local/etc/snort/snort_53096_bridge0/snort.conf"
                                            2013-01-26 00:52:38	Daemon.Info	172.24.42.254	ppp: [wan_link0] PAP: rec'd ACK #1 len: 5
                                            2013-01-26 00:52:38	Daemon.Info	172.24.42.254	ppp: [wan_link0] LCP: authorization successful
                                            2013-01-26 00:52:38	Daemon.Info	172.24.42.254	ppp: [wan_link0] Link: Matched action 'bundle "wan" ""'
                                            2013-01-26 00:52:38	Daemon.Info	172.24.42.254	ppp: [wan_link0] Link: Join bundle "wan"
                                            2013-01-26 00:52:38	Daemon.Info	172.24.42.254	ppp: [wan] Bundle: Status update: up 1 link, total bandwidth 64000 bps
                                            2013-01-26 00:52:38	Daemon.Info	172.24.42.254	ppp: [wan] IPCP: Open event
                                            2013-01-26 00:52:38	Daemon.Info	172.24.42.254	ppp: [wan] IPCP: state change Initial --> Starting
                                            2013-01-26 00:52:38	Daemon.Info	172.24.42.254	ppp: [wan] IPCP: LayerStart
                                            2013-01-26 00:52:38	Daemon.Info	172.24.42.254	ppp: [wan] IPCP: Up event
                                            2013-01-26 00:52:38	Daemon.Info	172.24.42.254	ppp: [wan] IPCP: state change Starting --> Req-Sent
                                            2013-01-26 00:52:38	Daemon.Info	172.24.42.254	ppp: [wan] IPCP: SendConfigReq #5
                                            2013-01-26 00:52:38	Daemon.Info	172.24.42.254	ppp: [wan]   IPADDR 0.0.0.0
                                            2013-01-26 00:52:38	Daemon.Info	172.24.42.254	ppp: [wan]   COMPPROTO VJCOMP, 16 comp. channels, no comp-cid
                                            2013-01-26 00:52:38	Daemon.Info	172.24.42.254	ppp: [wan]   PRIDNS 0.0.0.0
                                            2013-01-26 00:52:38	Daemon.Info	172.24.42.254	ppp: [wan]   SECDNS 0.0.0.0
                                            2013-01-26 00:52:38	Daemon.Info	172.24.42.254	ppp: [wan] IPCP: rec'd Configure Request #11 (Req-Sent)
                                            2013-01-26 00:52:38	Daemon.Info	172.24.42.254	ppp: [wan]   IPADDR 10.248.0.9
                                            2013-01-26 00:52:38	Daemon.Info	172.24.42.254	ppp: [wan]     10.248.0.9 is OK
                                            2013-01-26 00:52:38	Daemon.Info	172.24.42.254	ppp: [wan] IPCP: SendConfigAck #11
                                            2013-01-26 00:52:38	Daemon.Info	172.24.42.254	ppp: [wan]   IPADDR 10.248.0.9
                                            2013-01-26 00:52:38	Daemon.Info	172.24.42.254	ppp: [wan] IPCP: state change Req-Sent --> Ack-Sent
                                            2013-01-26 00:52:38	Daemon.Info	172.24.42.254	ppp: [wan] IPCP: rec'd Configure Reject #5 (Ack-Sent)
                                            2013-01-26 00:52:38	Daemon.Info	172.24.42.254	ppp: [wan]   COMPPROTO VJCOMP, 16 comp. channels, no comp-cid
                                            2013-01-26 00:52:38	Daemon.Info	172.24.42.254	ppp: [wan] IPCP: SendConfigReq #6
                                            2013-01-26 00:52:38	Daemon.Info	172.24.42.254	ppp: [wan]   IPADDR 0.0.0.0
                                            2013-01-26 00:52:38	Daemon.Info	172.24.42.254	ppp: [wan]   PRIDNS 0.0.0.0
                                            2013-01-26 00:52:38	Daemon.Info	172.24.42.254	ppp: [wan]   SECDNS 0.0.0.0
                                            2013-01-26 00:52:38	Daemon.Info	172.24.42.254	ppp: [wan] IPCP: rec'd Configure Nak #6 (Ack-Sent)
                                            2013-01-26 00:52:38	Daemon.Info	172.24.42.254	ppp: [wan]   IPADDR 96.43.239.155
                                            2013-01-26 00:52:38	Daemon.Info	172.24.42.254	ppp: [wan]     96.43.239.155 is OK
                                            2013-01-26 00:52:38	Daemon.Info	172.24.42.254	ppp: [wan]   PRIDNS 10.248.0.9
                                            2013-01-26 00:52:38	Daemon.Info	172.24.42.254	ppp: [wan]   SECDNS 24.226.147.201
                                            2013-01-26 00:52:38	Daemon.Info	172.24.42.254	ppp: [wan] IPCP: SendConfigReq #7
                                            2013-01-26 00:52:38	Daemon.Info	172.24.42.254	ppp: [wan]   IPADDR 96.43.239.155
                                            2013-01-26 00:52:38	Daemon.Info	172.24.42.254	ppp: [wan]   PRIDNS 10.248.0.9
                                            2013-01-26 00:52:38	Daemon.Info	172.24.42.254	ppp: [wan]   SECDNS 24.226.147.201
                                            2013-01-26 00:52:38	Daemon.Info	172.24.42.254	ppp: [wan] IPCP: rec'd Configure Ack #7 (Ack-Sent)
                                            2013-01-26 00:52:38	Daemon.Info	172.24.42.254	ppp: [wan]   IPADDR 96.43.239.155
                                            2013-01-26 00:52:38	Daemon.Info	172.24.42.254	ppp: [wan]   PRIDNS 10.248.0.9
                                            2013-01-26 00:52:38	Daemon.Info	172.24.42.254	ppp: [wan]   SECDNS 24.226.147.201
                                            2013-01-26 00:52:38	Daemon.Info	172.24.42.254	ppp: [wan] IPCP: state change Ack-Sent --> Opened
                                            2013-01-26 00:52:38	Daemon.Info	172.24.42.254	ppp: [wan] IPCP: LayerUp
                                            2013-01-26 00:52:38	Daemon.Info	172.24.42.254	ppp: [wan]   96.43.239.155 -> 10.248.0.9
                                            2013-01-26 00:52:38	User.Notice	172.24.42.254	check_reload_status: Rewriting resolv.conf
                                            2013-01-26 00:52:38	Daemon.Notice	172.24.42.254	snort[2994]: PortVar 'DNS_PORTS' defined :
                                            2013-01-26 00:52:38	Daemon.Notice	172.24.42.254	snort[2994]:  [ 53 ]
                                            
                                            ...
                                            
                                            013-01-26 00:52:39	Daemon.Notice	172.24.42.254	snort[2994]:
                                            2013-01-26 00:52:39	Daemon.Notice	172.24.42.254	snort[2994]: +++++++++++++++++++++++++++++++++++++++++++++++++++
                                            2013-01-26 00:52:39	Daemon.Notice	172.24.42.254	snort[2994]: Initializing rule chains...
                                            2013-01-26 00:52:39	User.Notice	172.24.42.254	check_reload_status: rc.newwanip starting pppoe1
                                            2013-01-26 00:52:39	Daemon.Info	172.24.42.254	ppp: [wan] IFACE: Up event
                                            2013-01-26 00:52:39	Daemon.Notice	172.24.42.254	snort[2994]: WARNING: /usr/local/etc/snort/snort_53096_bridge0/rules/snort.rules(536) threshold (in rule) is deprecated; use detection_filter instead.
                                            2013-01-26 00:52:40	Local0.Info	172.24.42.254	pf: 00:01:33.546462 rule 1/0(match): block in on pppoe1: (tos 0x0, ttl 249, id 41060, offset 0, flags [none], proto UDP (17), length 268)
                                            2013-01-26 00:52:40	Local0.Info	172.24.42.254	pf:     64.18.71.226.500 > 96.43.239.155.500: isakmp 1.0 msgid : phase 1 I ident:
                                            2013-01-26 00:52:40	Local0.Info	172.24.42.254	pf:     (sa: doi=ipsec situation=identity
                                            2013-01-26 00:52:40	Local0.Info	172.24.42.254	pf:         (p: #1 protoid=isakmp transform=3
                                            2013-01-26 00:52:40	Local0.Info	172.24.42.254	pf:             (t: #1 id=ike (type=enc value=aes)(type=keylen value=0100)(type=hash value=sha1)(type=group desc value=modp1024)(type=auth value=preshared)(type=lifetype value=sec)(type=lifeduration len=4 value=00015180))
                                            2013-01-26 00:52:40	Local0.Info	172.24.42.254	pf:             (t: #2 id=ike (type=enc value=3des)(type=hash value=sha1)(type=group desc value=modp1024)(type=auth value=preshared)(type=lifetype value=sec)(type=lifeduration len=4 value=00015180))
                                            2013-01-26 00:52:40	Local0.Info	172.24.42.254	pf:             (t: #3 id=ike (type=enc value=1des)(type=hash value=sha1)(type=group desc value=modp768)(type=auth value=rsa sig)(type=lifetype value=sec)(type=lifeduration len=4 value=00015180)))) [|vid]
                                            2013-01-26 00:52:44	User.Warning	172.24.42.254	php: : rc.newwanip: Informational is starting pppoe1.
                                            2013-01-26 00:52:44	User.Warning	172.24.42.254	php: : rc.newwanip: on (IP address: 96.43.239.155) (interface: wan) (real interface: pppoe1).
                                            2013-01-26 00:52:44	User.Warning	172.24.42.254	php: : ROUTING: setting default route to 10.248.0.9
                                            2013-01-26 00:52:44	User.Error	172.24.42.254	apinger: Exiting on signal 15.
                                            2013-01-26 00:52:45	User.Notice	172.24.42.254	check_reload_status: Reloading filter
                                            2013-01-26 00:52:45	User.Error	172.24.42.254	apinger: Starting Alarm Pinger, apinger(8518)
                                            2013-01-26 00:52:48	Daemon.Notice	172.24.42.254	snort[2994]: 9531 Snort rules read
                                            2013-01-26 00:52:48	Daemon.Notice	172.24.42.254	snort[2994]:     9126 detection rules
                                            ...
                                            2013-01-26 00:52:50	Daemon.Notice	172.24.42.254	snort[2994]: WARNING: flowbits key 'imagesource.redefine' is set but not ever checked.
                                            2013-01-26 00:52:50	Daemon.Notice	172.24.42.254	snort[2994]: WARNING: flowbits key 'file.pdf' is checked but not ever set.
                                            2013-01-26 00:52:50	Daemon.Notice	172.24.42.254	snort[2994]: 82 out of 1024 flowbits in use.
                                            2013-01-26 00:52:50	Local0.Info	172.24.42.254	pf: 00:00:10.164279 rule 1/0(match): block in on pppoe1: (tos 0x0, ttl 249, id 44376, offset 0, flags [none], proto UDP (17), length 268)
                                            2013-01-26 00:52:50	Local0.Info	172.24.42.254	pf:     64.18.71.226.500 > 96.43.239.155.500: isakmp 1.0 msgid : phase 1 I ident:
                                            2013-01-26 00:52:50	Local0.Info	172.24.42.254	pf:     (sa: doi=ipsec situation=identity
                                            2013-01-26 00:52:50	Local0.Info	172.24.42.254	pf:         (p: #1 protoid=isakmp transform=3
                                            2013-01-26 00:52:50	Local0.Info	172.24.42.254	pf:             (t: #1 id=ike (type=enc value=aes)(type=keylen value=0100)(type=hash value=sha1)(type=group desc value=modp1024)(type=auth value=preshared)(type=lifetype value=sec)(type=lifeduration len=4 value=00015180))
                                            2013-01-26 00:52:50	Local0.Info	172.24.42.254	pf:             (t: #2 id=ike (type=enc value=3des)(type=hash value=sha1)(type=group desc value=modp1024)(type=auth value=preshared)(type=lifetype value=sec)(type=lifeduration len=4 value=00015180))
                                            2013-01-26 00:52:50	Local0.Info	172.24.42.254	pf:             (t: #3 id=ike (type=enc value=1des)(type=hash value=sha1)(type=group desc value=modp768)(type=auth value=rsa sig)(type=lifetype value=sec)(type=lifeduration len=4 value=00015180)))) [|vid]
                                            2013-01-26 00:52:51	User.Warning	172.24.42.254	php: : Resyncing OpenVPN instances for interface WAN.
                                            2013-01-26 00:52:51	User.Warning	172.24.42.254	php: : Creating rrd update script
                                            2013-01-26 00:52:51	Daemon.Info	172.24.42.254	ntpd[17407]: Terminating
                                            2013-01-26 00:52:51	User.Warning	172.24.42.254	php: : The command '/usr/bin/killall 'ntpd'' returned exit code '1', the output was 'killall: warning: kill -TERM 43483: No such process'
                                            2013-01-26 00:52:51	User.Warning	172.24.42.254	php: : OpenNTPD is starting up.
                                            2013-01-26 00:52:51	User.Warning	172.24.42.254	php: : pfSense package system has detected an ip change 50.21.131.246 ->   ... Restarting packages.
                                            2013-01-26 00:52:51	User.Notice	172.24.42.254	check_reload_status: Starting packages
                                            2013-01-26 00:52:51	Daemon.Info	172.24.42.254	dnsmasq[63143]: reading /etc/resolv.conf
                                            2013-01-26 00:52:51	Daemon.Info	172.24.42.254	dnsmasq[63143]: using nameserver 24.226.147.201#53
                                            2013-01-26 00:52:51	Daemon.Info	172.24.42.254	dnsmasq[63143]: using nameserver 10.248.0.9#53
                                            2013-01-26 00:52:51	Daemon.Warning	172.24.42.254	dnsmasq[63143]: ignoring nameserver 127.0.0.1 - local interface
                                            2013-01-26 00:52:56	Daemon.Notice	172.24.42.254	snort[2994]:
                                            ...
                                            2013-01-26 00:52:56	Daemon.Notice	172.24.42.254	snort[2994]: Initializing daemon mode
                                            2013-01-26 00:52:56	Daemon.Notice	172.24.42.254	snort[54882]: Daemon initialized, signaled parent pid: 2994
                                            2013-01-26 00:52:56	Daemon.Notice	172.24.42.254	snort[54882]: Reload thread starting...
                                            2013-01-26 00:52:56	Daemon.Notice	172.24.42.254	snort[54882]: Reload thread started, thread 0x3bded640 (54882)
                                            2013-01-26 00:52:56	Kernel.Info	172.24.42.254	kernel: bridge0: promiscuous mode enabled
                                            2013-01-26 00:52:56	Daemon.Notice	172.24.42.254	snort[54882]: Decoding Ethernet
                                            2013-01-26 00:52:56	Daemon.Notice	172.24.42.254	snort[54882]: Checking PID path...
                                            2013-01-26 00:52:56	Daemon.Notice	172.24.42.254	snort[54882]: PID path stat checked out ok, PID path set to /var/run
                                            2013-01-26 00:52:56	Daemon.Notice	172.24.42.254	snort[54882]: Writing PID "54882" to file "/var/run/snort_bridge053096.pid"
                                            2013-01-26 00:52:56	Daemon.Notice	172.24.42.254	snort[54882]:
                                            2013-01-26 00:52:56	Daemon.Notice	172.24.42.254	snort[54882]:         --== Initialization Complete ==--
                                            2013-01-26 00:52:56	Daemon.Notice	172.24.42.254	snort[54882]: Commencing packet processing (pid=54882)
                                            2013-01-26 00:52:57	User.Warning	172.24.42.254	php: : Restarting/Starting all packages.
                                            2013-01-26 00:52:57	Local0.Info	172.24.42.254	pf: 00:00:07.065875 rule 65/8(ip-option): pass in on bridge0: (tos 0x0, ttl 1, id 13863, offset 0, flags [none], proto IGMP (2), length 40, options (RA))
                                            2013-01-26 00:52:57	Local0.Info	172.24.42.254	pf:     172.24.48.84 > 224.0.0.22: igmp v3 report, 1 group record(s) [gaddr 224.0.0.252 to_in, 0 source(s)]
                                            2013-01-26 00:52:57	Local0.Info	172.24.42.254	pf: 00:00:00.000014 rule 65/8(ip-option): pass in on re0: (tos 0x0, ttl 1, id 13863, offset 0, flags [none], proto IGMP (2), length 40, options (RA))
                                            2013-01-26 00:52:57	Local0.Info	172.24.42.254	pf:     172.24.48.84 > 224.0.0.22: igmp v3 report, 1 group record(s) [gaddr 224.0.0.252 to_in, 0 source(s)]
                                            2013-01-26 00:52:57	Local0.Info	172.24.42.254	pf: 00:00:00.005788 rule 65/8(ip-option): pass in on re0: (tos 0x0, ttl 1, id 13871, offset 0, flags [none], proto IGMP (2), length 40, options (RA))
                                            2013-01-26 00:52:57	Local0.Info	172.24.42.254	pf:     172.24.48.84 > 224.0.0.22: igmp v3 report, 1 group record(s) [gaddr 224.0.0.252 to_ex, 0 source(s)]
                                            2013-01-26 00:52:57	Local0.Info	172.24.42.254	pf: 00:00:00.000017 rule 65/8(ip-option): pass in on bridge0: (tos 0x0, ttl 1, id 13871, offset 0, flags [none], proto IGMP (2), length 40, options (RA))
                                            2013-01-26 00:52:57	Local0.Info	172.24.42.254	pf:     172.24.48.84 > 224.0.0.22: igmp v3 report, 1 group record(s) [gaddr 224.0.0.252 to_ex, 0 source(s)]
                                            2013-01-26 00:52:57	Local0.Info	172.24.42.254	pf: 00:00:00.000008 rule 65/8(ip-option): pass in on re0: (tos 0x0, ttl 1, id 13871, offset 0, flags [none], proto IGMP (2), length 40, options (RA))
                                            2013-01-26 00:52:57	Local0.Info	172.24.42.254	pf:     172.24.48.84 > 224.0.0.22: igmp v3 report, 1 group record(s) [gaddr 224.0.0.252 to_ex, 0 source(s)]
                                            2013-01-26 00:52:57	Local0.Info	172.24.42.254	pf: 00:00:00.043814 rule 65/8(ip-option): pass in on re0: (tos 0x0, ttl 1, id 13897, offset 0, flags [none], proto IGMP (2), length 40, options (RA))
                                            2013-01-26 00:52:57	Local0.Info	172.24.42.254	pf:     172.24.48.84 > 224.0.0.22: igmp v3 report, 1 group record(s) [gaddr 224.0.0.253 to_ex, 0 source(s)]
                                            2013-01-26 00:52:57	Local0.Info	172.24.42.254	pf: 00:00:00.000040 rule 65/8(ip-option): pass in on bridge0: (tos 0x0, ttl 1, id 13897, offset 0, flags [none], proto IGMP (2), length 40, options (RA))
                                            2013-01-26 00:52:57	Local0.Info	172.24.42.254	pf:     172.24.48.84 > 224.0.0.22: igmp v3 report, 1 group record(s) [gaddr 224.0.0.253 to_ex, 0 source(s)]
                                            2013-01-26 00:52:57	Local0.Info	172.24.42.254	pf: 00:00:00.000006 rule 65/8(ip-option): pass in on re0: (tos 0x0, ttl 1, id 13897, offset 0, flags [none], proto IGMP (2), length 40, options (RA))
                                            2013-01-26 00:52:57	Local0.Info	172.24.42.254	pf:     172.24.48.84 > 224.0.0.22: igmp v3 report, 1 group record(s) [gaddr 224.0.0.253 to_ex, 0 source(s)]
                                            2013-01-26 00:52:57	Local0.Info	172.24.42.254	pf: 00:00:00.225489 rule 65/8(ip-option): pass in on re0: (tos 0x0, ttl 1, id 13918, offset 0, flags [none], proto IGMP (2), length 48, options (RA))
                                            2013-01-26 00:52:57	Local0.Info	172.24.42.254	pf:     172.24.48.84 > 224.0.0.22: igmp v3 report, 2 group record(s) [gaddr 224.0.0.252 to_ex, 0 source(s)] [gaddr 224.0.0.253 to_ex, 0 source(s)]
                                            2013-01-26 00:52:57	Local0.Info	172.24.42.254	pf: 00:00:00.000033 rule 65/8(ip-option): pass in on bridge0: (tos 0x0, ttl 1, id 13918, offset 0, flags [none], proto IGMP (2), length 48, options (RA))
                                            2013-01-26 00:52:57	Local0.Info	172.24.42.254	pf:     172.24.48.84 > 224.0.0.22: igmp v3 report, 2 group record(s) [gaddr 224.0.0.252 to_ex, 0 source(s)] [gaddr 224.0.0.253 to_ex, 0 source(s)]
                                            2013-01-26 00:52:57	Local0.Info	172.24.42.254	pf: 00:00:00.000007 rule 65/8(ip-option): pass in on re0: (tos 0x0, ttl 1, id 13918, offset 0, flags [none], proto IGMP (2), length 48, options (RA))
                                            
                                            

                                            2.4.5-RELEASE-p1 (amd64)
                                            Intel Core2 Quad CPU Q8400 @ 2.66GHz 8GB
                                            Backup 0.5_5, Bandwidthd 0.7.4_4, Cron 0.3.7_5, pfBlockerNG-devel 3.0.0_16, Status_Traffic_Totals 2.3.1_1, System_Patches 1.2_5

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.