Allowed rule being blocked TCP:PA
-
2.2.2-Release (AMD64)
Built 13 Apr 20:10:22Does anyone know why two tcp packets TCP:PA were blocked (left hand screen attachment) when there was an allowed rule for this and all subsequent tcp packets were allowed as seen in the right hand screen attachment?
Are the PA packets out of state packets by any chance as described here but showing TCP:FA, in the example?
https://doc.pfsense.org/index.php/Why_do_my_logs_show_%22blocked%22_for_traffic_from_a_legitimate_connection
-
Most likely.
-
I disabled logging on default block entirely because of this crap from my wife's droid phone.
-
I was wondering if there is anything which can feed like a syslog message the rules being used when a packet passes through a bit like the option in the console, but ideally somewhere where I can log them for further analysis preferably in real time as some attacks can take place over weeks and months when time is not of the essence.
-
Security Onion is a Linux distro for intrusion detection, network security monitoring, and log management. It's based on Ubuntu and contains Snort, Suricata, Bro, OSSEC, Sguil, Squert, Snorby, ELSA, Xplico, NetworkMiner, and many other security tools. The easy-to-use Setup wizard allows you to build an army of distributed sensors for your enterprise in minutes!
http://blog.securityonion.net/p/securityonion.html
-
Now that you mention security onion I might have an iso I've downloaded … yep I've got 12.04.5 which looks like I downloaded it Sept last year. I'll fire it up and have a look. BTW re the PM I think I got to the bottom of the weird stuff as seen here. https://forum.pfsense.org/index.php?topic=94554.0 so I over the weekend I can look at your blocker again and give that a whirl.