Squid, Snort, pfBlocker issue?



  • Hi all,

    I've been running Squid and Snort on my pfSense box since I got it up and running a few weeks ago, no issues. I just installed pfBlocker last week and it's been working fine, but today I noticed some weird things in the system logs.

    Jul 24 12:05:00 router php: snort_check_for_rule_updates.php: [Snort] Server returned error code 422…
    Jul 24 12:05:00 router php: snort_check_for_rule_updates.php: [Snort] Snort VRT rules md5 download failed…
    Jul 24 12:03:05 router php: /index.php: Successful login for user 'admin' from: xxx.xxx.xxx.xxx
    Jul 24 12:03:05 router php: /index.php: Successful login for user 'admin' from: xxx.xxx.xxx.xxx
    Jul 24 12:02:25 router php: rc.start_packages: No pfBlocker action during boot process.
    Jul 24 12:02:25 router php: rc.start_packages: No pfBlocker action during boot process.
    Jul 24 12:02:25 router php: rc.start_packages: No pfBlocker action during boot process.
    Jul 24 12:02:25 router php: rc.start_packages: No pfBlocker action during boot process.
    Jul 24 12:02:23 router kernel: re0: promiscuous mode enabled
    Jul 24 12:02:21 router SnortStartup: Snort START for WAN...
    Jul 24 12:02:17 router php: rc.start_packages: No pfBlocker action during boot process.
    Jul 24 12:02:17 router php: rc.start_packages: No pfBlocker action during boot process.
    Jul 24 12:02:17 router php: rc.start_packages: No pfBlocker action during boot process.
    Jul 24 12:02:17 router php: rc.start_packages: No pfBlocker action during boot process.
    Jul 24 12:02:16 router kernel: re0: promiscuous mode disabled
    Jul 24 12:02:16 router snort: *** Caught Term-Signal
    Jul 24 12:02:15 router SnortStartup: Snort STOP for WAN...
    Jul 24 12:02:15 router kernel: re0: promiscuous mode enabled
    Jul 24 12:02:13 router SnortStartup: Snort START for WAN...
    Jul 24 12:02:10 router squid: Squid Parent: child process started
    Jul 24 12:02:08 router php: rc.start_packages: The command '/usr/local/etc/rc.d/squid.sh stop' returned exit code '1', the output was ''
    Jul 24 12:02:08 router kernel: re0: promiscuous mode disabled
    Jul 24 12:02:08 router snort: *** Caught Term-Signal
    Jul 24 12:02:08 router php: rc.filter_configure_sync: SQUID is installed but not started. Not installing "filter" rules.
    Jul 24 12:02:07 router php: rc.filter_configure_sync: SQUID is installed but not started. Not installing "pfearly" rules.
    Jul 24 12:02:07 router php: rc.filter_configure_sync: SQUID is installed but not started. Not installing "nat" rules.
    Jul 24 12:02:07 router squid: Squid Parent: child process exited with status 0
    Jul 24 12:02:07 router SnortStartup: Snort STOP for WAN...
    Jul 24 12:02:03 router php: rc.start_packages: Reloading Squid for configuration sync
    Jul 24 12:02:03 router php: rc.start_packages: Reloading Squid for configuration sync

    I don't know if the issue here is with Squid, Snort, pfBlocker, or something else entirely, but I haven't changed anything in the configuration recently. As far as I'm aware, all that has changed is that we had a few guests over and they were trying to troubleshoot some Mario Kart Wii U online issues last night... I am the only one with access to the pfSense login though.

    I saw this Squid & Snort stop/starting and the Snort rules update fail and "no pfBlocker action during boot..." in the logs so I rebooted the pfSense router but just saw the same things in the log again. Anyone seen this kind of behavior in the logs before, and if so any tips on what might be going wrong or what I need to do to remedy the problem?



  • " [Snort] Server returned error code 422…"

    Nothing to worry about.

    They are just updating on their end. It should be back to normal when they are finished.



  • @Cmellons:

    " [Snort] Server returned error code 422…"

    Nothing to worry about.

    They are just updating on their end. It should be back to normal when they are finished.

    What about Squid and Snort rapidly stopping and starting and pfBlocker reporting "no… action during boot process"? I haven't seen these logs before and it seems unrelated to the Snort update process.