Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Building of UTM from snort + havp + Squid Guard + Squid – need help

    Scheduled Pinned Locked Moved pfSense Packages
    6 Posts 2 Posters 7.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      firefox
      last edited by

      hello
      i have pfsense with squid and havp and it working

      http://forum.pfsense.org/index.php/topic,60815.0.html#lastPost

      I had a problem configuring it
      I got a solution here in the forum

      But in addition I got this link

      http://fafadiatech.blogspot.co.il/2012/05/build-your-own-unified-threat.html

      Explains how to build UTM

      I tried to build this UTM on my computer
      But I ran into a lot of problems
      At first it was blocking some sites
      Finally, was not any internet access

      I gave up and put the system to a previous state using the Restore

      Like I said in my Previous Post
      I think this guide is aimed at people with more extensive knowledge
      I think that was missing quite a few steps

      This is my system

      2.0.3-PRERELEASE (i386)
      built on Thu Feb 21 18:45:45 EST 2013
      FreeBSD local.co.il 8.1-RELEASE-p13 FreeBSD 8.1-RELEASE-p13 #1: Thu Feb 21 19:12:31 EST 2013 root@snapshots-8_1-i386.builders.pfsense.org:/usr/obj./usr/pfSensesrc/src/sys/pfSense_SMP.8 i386

      You are on the latest version.

      These versions of the packages I installed via
      Package Manager

      snort Security Stable
      2.9.4.1 pkg v. 2.5.5
      platform: 2.0

      squidGuard Network Management Beta
      1.4_4 pkg v.1.9.2
      platform: 1.1

      HAVP antivirus Network Management No info, check the forum 0.91_1 pkg v1.01

      squid Network No info, check the forum 2.7.9 pkg v.4.3.3

      I tried to do the same thing as manual I noticed a lot of missing screenshots
      So I think this guide is aimed at people with more knowledge
      Or is it manual comes after another guide

      I would love to get help configuring

      Now
      Only two packages are installed "havp" and "squid"
      As I returned everything to the previous state because of problems

      1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by

        Try out this Snort Quick Setup Guide for New Users.

        http://forum.pfsense.org/index.php/topic,61018.0.html

        This will help you initiallly configure Snort for IDS (Intrusion Detection) mode where it will log alerts but not block things.  Once you see how the various policies work, and what the "normal traffic" is for your network, you can enable blocking.

        By the way, when you do enable "blocking mode", be sure to change the setting for how often to clear the blocks from "never" to something like 1 hour.  This settting is on the If Settings tab for the interface.

        Bill

        1 Reply Last reply Reply Quote 0
        • F
          firefox
          last edited by

          Thank you

          Is this configuration would be good with other packages
          Install and configure snort alone should not be a problem
          The problem starts when adding more packages

          1 Reply Last reply Reply Quote 0
          • bmeeksB
            bmeeks
            last edited by

            SquidGuard can do blocking for you that is outside the scope of Snort, so yes, adding and using both simultaneously opens up at least two different ways to have a site "blocked".  And either one could be blocking the site as a false positive.  That's what is challenging about using these tools – they are trying to identify "known bad" based on circumstantial evidence.  Sometimes the tools get it wrong.  That's why vigilance and tuning by the administrator is key to effectively using automated blocking tools such as Snort, SquidGuard and others.

            I suggest running both in "logging mode" versus "blocking mode" for a week or more to get a feel for what they are detecting (and would be blocking) in your network.  You will need to sort through the alerts to try and figure out what is a false positive and what is really bad traffic.  You will need to add Suppression Rules in Snort (and whatever the equivalent is in SquidGuard) to prevent the false positives from triggering actual site blocks.

            Bill

            1 Reply Last reply Reply Quote 0
            • F
              firefox
              last edited by

              How do I turn them in a state of logging mode ?

              1 Reply Last reply Reply Quote 0
              • bmeeksB
                bmeeks
                last edited by

                @firefox:

                How do I turn them in a state of logging mode ?

                For Snort, it's easy.  On the If Settings tab for your Snort interface, uncheck the box that says "Block Offenders".  The default is Unchecked unless you clicked it during configuration.  I don't know about the other packages.  They may not have a "logging only" mode.  Hopefully some other folks more knowledgable of those packages will chime in.

                Bill

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.