Netgate Store

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - rebman77

Pages: [1] 2 3
IDS/IPS / Re: How to import 3rd party IDS rulesets' URLs into Snort?
« on: April 26, 2018, 05:07:25 pm »
Yep, thats the problem. Interesting thing is urlhaus has the IDS ruleset labeled for both Snort and Suricata. (They even tweet when they make updates to the ruleset that it is for both).  I have to assume they have never tried their ruleset in Snort.

IDS/IPS / Re: How to import 3rd party IDS rulesets' URLs into Snort?
« on: April 25, 2018, 07:04:18 pm »
Preprocessors are all default settings.  Only additional one I have enabled is the Application ID Detection preprocessor.

IDS/IPS / Re: How to import 3rd party IDS rulesets' URLs into Snort?
« on: April 23, 2018, 04:36:18 pm »
After copying and pasting them in the custom rules panel, what's the trick to get around the error below?

Code: [Select]
Custom rules have errors: Fatal Error, Quitting..ERROR: /usr/local/etc/snort/snort_8066_em1/rules/custom.rules(1) Bad protocol: http.


I am new to pfsense, can someone have a look at the attached image and tell me if it looks correct please.

Was looking at this guide, and comparing to your screenshot.  What are the implications of unchecking the "invert match" box and not disabling NAT reflection?

DHCP and DNS / "Enable DNSSEC Support" and OpenDNS
« on: September 09, 2017, 09:14:19 am »
So I know OpenDNS doesn't support DNSSEC...

I currently am using OpenDNS with my pfSense setup and any guides I find say to always uncheck the "Enable DNSSEC Support" option within the DNS Resolver settings.  I thought these two guides below were pretty straightforward and consistent and after reading through them I had two questions:

So my first question is this, I've been running with OpenDNS with the DNSSEC support option enabled, and other than some errors in the log (like below), everything seems to be working on the surface.  So with it enabled, what breaks when using OpenDNS?  Should I even be able to resolve addresses at all?  The way I understood it, is that Opendns would just not work with that option enabled, which then got me thinking is something wrong with my setup??

info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN

All three OpenDNS test sites work fine with DNSSEC enabled:

Also, shows all Opendns servers and a "nslookup" resolves to a OpenDNS block page, so appears pfSense is properly forcing all resolutions to use OpenDNS.

My second question is both guides say to check the "Disable DNS Forwarder" option under the General Setup.  I've currently been running with it unchecked and everything seems ok.  Any burning reason I need to check it?  What are the implications by not checking it?

I had the same problem.  See the end of this thread for the solution that worked for me.

IDS/IPS / Re: Snort failing to start on WAN
« on: May 26, 2017, 04:23:00 pm »
I had the very same problem after upgrading to  After disabling 2002802, the WAN service started without issue.

How in the world did you figure out it was that specific SID?  Just curious if I'm missing something in a log that would have helped me troubleshoot.

Here was my error:

Code: [Select]
FATAL ERROR: /usr/local/etc/snort/snort_41202_em0/rules/snort.rules(1420) byte_test rule option cannot extract more than 4 bytes without valid string prefix.

pfBlockerNG / Re: DNSBL - Blocking of iOS App Downloads
« on: May 17, 2017, 06:43:23 pm »
Bingo!  Adding the CNAME entry to the white list resolved it.

pfBlockerNG / DNSBL - Blocking of iOS App Downloads
« on: May 17, 2017, 05:44:39 pm »
Can't seem to figure this one out.  With DNSBL enabled, I am unable to download / update iOS apps on any of my iOS devices.  Works fine with DNSBL disabled.  See attached image of the alert that gets generated in DNSBL.  What I can't figure out is which list is generating the block and even adding the domain to the whitelist doesn't resolve the issue.  Hovering over the 'plus' sign, says "This Domain is already in the DNSBL WhiteList" and it won't let me add it again.

I guess I could disable every list until I figure out which one is causing the problem, but hoping someone has some tips  on an easier way of identifying which list is generating the block.  Also, would be good to better understand why it's still getting blocked even if it's defined in the WhiteList.  I also confirmed this is the only alert being generated when attempting to download/update iOS apps.

Will this fix be in the 2.4 release?

pfBlockerNG / Blacklists UT1
« on: January 07, 2017, 01:36:38 pm »
Does anyone know if pfBlockerNG can be used with Blacklists UT1?  Tried to set it up, but getting errors when trying to download the lists.

Firewalling / Re: Block Mirai?
« on: October 28, 2016, 06:18:47 pm »
Was looking over the link below and just wondering with what happened with Mirai, is there any other special setup requirements that we should consider when setting up pfSense?  e.g. Will the "default" firewall rules, snort, etc... cover these types of attacks?

I'm seeing the same spam in my system log.  I tried the suggestion, but that didn't resolve it.  I didn't have any interfaces selected under the TFTP Proxy section when I checked.  Tried selecting all my interfaces, then saved it, then deselected them, then saved again.  But messages still appear every 15 min.

Code: [Select]
Jun 10 21:00:00 xinetd 23343 Reconfigured: new=0 old=1 dropped=0 (services)
Jun 10 21:00:00 xinetd 23343 readjusting service 6969-udp
Jun 10 21:00:00 xinetd 23343 Swapping defaults
Jun 10 21:00:00 xinetd 23343 Starting reconfiguration

General Questions / Error written to System Log after clearing log
« on: June 10, 2016, 08:59:20 pm »
Not a big deal, but just curious.  Each time the system log is cleared, there's a nginx error added to the system log like below:

Code: [Select]
nginx: 2016/06/10 20:46:39 [error] 30871#0: send() failed (54: Connection reset by peer)
Other than the error message that gets written, I can't see any other problems.  Was just curious if this is a known issue, or if something was going on with my setup.  I'm running 2.3.1-RELEASE-p1.

IDS/IPS / Re: Snort - portscan/Portsweep from WAN interface suddenly
« on: June 02, 2016, 08:14:41 pm »
I'm seeing the same thing. I just noticed it today, but not sure how long it's been occuring.  I was running Snort rules from Jun 1st and EMThreat rules from Jun 2nd and still seeing problems.  Snort is blocking facebook, google, bing and others.  I forced an update and both rulesets are now dated Jun 2.  We'll see if that fixes it.

I've always had my portscan sensitivity set to "low" and haven't changed anything with my Snort setup for months.  So hoping it was just a bad batch of rules.

Pages: [1] 2 3