Building of UTM from snort + havp + Squid Guard + Squid – need help
-
hello
i have pfsense with squid and havp and it workinghttp://forum.pfsense.org/index.php/topic,60815.0.html#lastPost
I had a problem configuring it
I got a solution here in the forumBut in addition I got this link
http://fafadiatech.blogspot.co.il/2012/05/build-your-own-unified-threat.html
Explains how to build UTM
I tried to build this UTM on my computer
But I ran into a lot of problems
At first it was blocking some sites
Finally, was not any internet accessI gave up and put the system to a previous state using the Restore
Like I said in my Previous Post
I think this guide is aimed at people with more extensive knowledge
I think that was missing quite a few stepsThis is my system
2.0.3-PRERELEASE (i386)
built on Thu Feb 21 18:45:45 EST 2013
FreeBSD local.co.il 8.1-RELEASE-p13 FreeBSD 8.1-RELEASE-p13 #1: Thu Feb 21 19:12:31 EST 2013 root@snapshots-8_1-i386.builders.pfsense.org:/usr/obj./usr/pfSensesrc/src/sys/pfSense_SMP.8 i386You are on the latest version.
These versions of the packages I installed via
Package Managersnort Security Stable
2.9.4.1 pkg v. 2.5.5
platform: 2.0squidGuard Network Management Beta
1.4_4 pkg v.1.9.2
platform: 1.1HAVP antivirus Network Management No info, check the forum 0.91_1 pkg v1.01
squid Network No info, check the forum 2.7.9 pkg v.4.3.3
I tried to do the same thing as manual I noticed a lot of missing screenshots
So I think this guide is aimed at people with more knowledge
Or is it manual comes after another guideI would love to get help configuring
Now
Only two packages are installed "havp" and "squid"
As I returned everything to the previous state because of problems -
Try out this Snort Quick Setup Guide for New Users.
http://forum.pfsense.org/index.php/topic,61018.0.html
This will help you initiallly configure Snort for IDS (Intrusion Detection) mode where it will log alerts but not block things. Once you see how the various policies work, and what the "normal traffic" is for your network, you can enable blocking.
By the way, when you do enable "blocking mode", be sure to change the setting for how often to clear the blocks from "never" to something like 1 hour. This settting is on the If Settings tab for the interface.
Bill
-
Thank you
Is this configuration would be good with other packages
Install and configure snort alone should not be a problem
The problem starts when adding more packages -
SquidGuard can do blocking for you that is outside the scope of Snort, so yes, adding and using both simultaneously opens up at least two different ways to have a site "blocked". And either one could be blocking the site as a false positive. That's what is challenging about using these tools – they are trying to identify "known bad" based on circumstantial evidence. Sometimes the tools get it wrong. That's why vigilance and tuning by the administrator is key to effectively using automated blocking tools such as Snort, SquidGuard and others.
I suggest running both in "logging mode" versus "blocking mode" for a week or more to get a feel for what they are detecting (and would be blocking) in your network. You will need to sort through the alerts to try and figure out what is a false positive and what is really bad traffic. You will need to add Suppression Rules in Snort (and whatever the equivalent is in SquidGuard) to prevent the false positives from triggering actual site blocks.
Bill
-
How do I turn them in a state of logging mode ?
-
How do I turn them in a state of logging mode ?
For Snort, it's easy. On the If Settings tab for your Snort interface, uncheck the box that says "Block Offenders". The default is Unchecked unless you clicked it during configuration. I don't know about the other packages. They may not have a "logging only" mode. Hopefully some other folks more knowledgable of those packages will chime in.
Bill
