pfSense Support Subscription

Author Topic: suricata, squid3 w/clamd, dansguardian.  (Read 8957 times)

0 Members and 1 Guest are viewing this topic.

Offline johnk

  • Newbie
  • *
  • Posts: 6
  • Karma: +0/-0
    • View Profile
suricata, squid3 w/clamd, dansguardian.
« on: January 16, 2015, 04:04:18 pm »
clamd service stopped running after last two upgrades:
Jan 16 16:45:58 root: /usr/local/etc/rc.d/clamav-clamd: WARNING: run_rc_command: cannot run /usr/bin/clamd
Jan 16 16:35:05 root: /usr/local/etc/rc.d/clamav-clamd: WARNING: run_rc_command: cannot run /usr/bin/clamd
Jan 16 16:34:18 root: /usr/local/etc/rc.d/clamav-clamd: WARNING: run_rc_command: cannot run /usr/bin/clamd
Jan 16 16:34:18 php-fpm[51879]: /pkg_edit.php: Reloading Squid for configuration sync
Jan 16 16:34:13 php-fpm[51879]: /pkg_edit.php: [Squid] - Squid_resync function call pr:1 bp: rpc:no
Jan 16 16:34:13 root: /usr/local/etc/rc.d/clamav-clamd: WARNING: run_rc_command: cannot run /usr/bin/clamd
Jan 16 16:34:13 php-fpm[51879]: /pkg_edit.php: Reloading Squid for configuration sync
Jan 16 16:34:08 php-fpm[51879]: /pkg_edit.php: [Squid] - Squid_resync function call pr:1 bp: rpc:no
Jan 16 16:32:49 php-fpm[7833]: /index.php: Successful login for user 'admin' from: 192.168.2.29
Jan 16 16:32:49 php-fpm[7833]: /index.php: Successful login for user 'admin' from: 192.168.2.29
Jan 16 16:16:20 root: /usr/local/etc/rc.d/clamav-clamd: WARNING: run_rc_command: cannot run /usr/bin/clamd

Offline marcelloc

  • Hero Member
  • *****
  • Posts: 13398
  • Karma: +589/-7
    • View Profile
Re: suricata, squid3 w/clamd, dansguardian.
« Reply #1 on: January 16, 2015, 04:07:05 pm »
try to fix manually the clamd path. /usr/pbi/squid-amd64/bin instead of /usr/bin

Offline Cino

  • Hero Member
  • *****
  • Posts: 1516
  • Karma: +61/-2
    • View Profile
Re: suricata, squid3 w/clamd, dansguardian.
« Reply #2 on: January 16, 2015, 06:04:26 pm »
Did you have any temporary fixes before to got clamd running on 2.2 with Squid3.4? I can't reproduce this either and from the path, I think this was a fix that was provided a month or two ago to get squid working...

I would uninstall it and then search for any reference for clamd* and remove them. Still you have Dansguardian install also, dont delete any references of clamd that may be in its pbi directories

Offline johnk

  • Newbie
  • *
  • Posts: 6
  • Karma: +0/-0
    • View Profile
Re: suricata, squid3 w/clamd, dansguardian.
« Reply #3 on: January 16, 2015, 08:26:51 pm »
I did install squid3 several weeks earlier and did have the issues where squid would not start. I decided to avoid any issues at that time and uninstalled squid and any remnants I could find. I reinstalled when squid was compiled in transparent mode only. All services ran. Later I installed squidguard3. Had some issues and no time so that was uninstalled via package uninstall icon. With no problems for a few days, I installed Dansguardian. Until last night's pfsense update all services ran. No other changes during this time. I'll have to do some delving tomorrow as I make it a practice not to do complicated tasks when very tired.

I have to say that 2.2 development has been managed quite well, at least from my perspective.




Offline Cino

  • Hero Member
  • *****
  • Posts: 1516
  • Karma: +61/-2
    • View Profile
Re: suricata, squid3 w/clamd, dansguardian.
« Reply #4 on: January 16, 2015, 08:36:39 pm »
reinstall squid3 after dansguardain.. I'm wondering if the dans pbi package is conflicting with squid's clam paths... They both have the same option to run antivirus but i've always had squid handle that function

Offline johnk

  • Newbie
  • *
  • Posts: 6
  • Karma: +0/-0
    • View Profile
Re: suricata, squid3 w/clamd, dansguardian.
« Reply #5 on: January 17, 2015, 04:23:56 pm »
I haven't fixed the issue but I know the problem area. In squid3 configuration under the Antivirus setup tab, there appears to be some issues reported in that tab, perhaps corruption, as follows between + lines.
++++++++++++++++++++++++++++++++++++++++
The following input errors were detected:
Squidclamav warns redirect points to sample config domain (http://proxy.domain.dom/cgi-bin/clwarn.cgi)

Change redirect info on 'squidclamav.conf' field to pfsense gui or an external host.

c-icap Squidclamav service definition is no present.

Add 'Service squid_clamav squidclamav.so'(without quotes) to 'c-icap.conf' field in order to get it working.

Remove ldap configuration'Manager:Apassword@ldap.chtsanti.net?o=chtsanti?mermberUid?(&(objectClass=posixGroup)(cn=%s))' from 'c-icap.conf' field.
+++++++++++++++++++++++++++++++++++++++++

This is new. Note that I uninstalled dans and squid and installed them in the order Cino suggested.  No success but both clam and c-icap did not run.

I'm going to make the changes above and report back.

Offline Cino

  • Hero Member
  • *****
  • Posts: 1516
  • Karma: +61/-2
    • View Profile
Re: suricata, squid3 w/clamd, dansguardian.
« Reply #6 on: January 17, 2015, 04:47:18 pm »
Follow the steps in the error, see screen shot

Change the AV error redirect page to the IP of your box

Save config, then stop all squid related services. squid, c-icap, clamd. If you needed, killall them in the cmdline or reboot. Then save your config again and it they should all startup


Offline johnk

  • Newbie
  • *
  • Posts: 6
  • Karma: +0/-0
    • View Profile
Re: suricata, squid3 w/clamd, dansguardian.
« Reply #7 on: January 17, 2015, 06:40:06 pm »
Cino, I did all that at first (or so I thought) - including a hard shutdown. For the redirect I commented out the existing line with a "#" sign and entered the correct domain info in a line below. (I've always liked to keep a trail.) Anyway, I uncommented the redirect and changed that and deleted my line. Also deleted the ldap reference which was already commented - should have taken that as a clue.

All services working.

I really wanted to work with squidguard3 but had issues - will try again. Maybe include havp in the mix?

Thanks for your help - marcelloc too.

(I drove over 1000 miles this week and i'm wiped. will try tomorrow or Monday.)

Offline johnk

  • Newbie
  • *
  • Posts: 6
  • Karma: +0/-0
    • View Profile
Re: suricata, squid3 w/clamd, dansguardian.
« Reply #8 on: January 17, 2015, 06:49:42 pm »
I will say that cpu useage has doubleded from before. Before had suricata. squid, and dansguardian. Now no more dansguardian.

Offline Cino

  • Hero Member
  • *****
  • Posts: 1516
  • Karma: +61/-2
    • View Profile
Re: suricata, squid3 w/clamd, dansguardian.
« Reply #9 on: January 17, 2015, 07:50:05 pm »
All services working.

I really wanted to work with squidguard3 but had issues - will try again. Maybe include havp in the mix?

Thanks for your help - marcelloc too.

(I drove over 1000 miles this week and i'm wiped. will try tomorrow or Monday.)

Glad its up and running for you! That's a lot of mileage, go get some sleep!

I updated squidguard's squid.conf options so it now runs on squid2 and squid3... https://github.com/pfsense/pfsense-packages/pull/787
squidguard-dev and squidguard3 should work with no issues, at least from my testing. I've been using squidguard-dev myself since its most recent (and by most recent, 5 years i think).

If you need keyword filtering, dansguardian will work but I believe that package will be retiring in the future.

Since squid is using clamav, it doesn't make sense to use havp. They both use the same clamd engine.


I will say that cpu useage has doubleded from before. Before had suricata. squid, and dansguardian. Now no more dansguardian.

Another forum member has mention this also. I haven't noticed it myself but I have it running in a VM with only 2 computers going thru it for testing.
« Last Edit: January 17, 2015, 07:55:24 pm by Cino »

Offline johnk

  • Newbie
  • *
  • Posts: 6
  • Karma: +0/-0
    • View Profile
Re: suricata, squid3 w/clamd, dansguardian.
« Reply #10 on: January 18, 2015, 04:18:09 pm »
just to recap, before the last two version updates, all services (as in the subject header + a couple more) were functioning with cpu usage at 32%. With the updates, clam and icap stopped working. After reinstallation attempts, squid, clam, and icap worked. cpu usage with other services at 26%. This consistent with prior same configurations. Installed dansguardian and cpu usage hit 56% at first. then climbed to 92 %. This the same config as before upgrades.

Decided to allow install of packages without signature (= squidguard_squid3) after removing dansguardian and rebooting. squidguard install pegged cpu usage at 100% could not be configured. Squid stopped too. Removed Squidguard and back to a working 26% system. Too many redirects was the most common message in logs.

I started with a supermicro c2758 mobo near the end of the 2.2 alpha. Haven't had many issues differing from what others have reported. No apinger problems at all. I don't use the dns forwarder or resolver on a wan, lan, opt1, opt2 box. It's not production but lan is populated with 2 servers (1 win12 and 1 Ubuntu 14.04) and several pc's. besides network, email server, web server, dns, dhcp, print servers as well. Opt1 makes my Roku 3 happy and Opt2 is a storage system under development but has no outside world connections at this time.

Plan now is to wait 2.2 release and reninstall all unless someone has some thoughts.
« Last Edit: January 18, 2015, 05:22:13 pm by johnk »

Offline Topper727

  • Full Member
  • ***
  • Posts: 245
  • Karma: +25/-0
    • View Profile
Re: suricata, squid3 w/clamd, dansguardian.
« Reply #11 on: January 20, 2015, 09:21:07 am »
Follow the steps in the error, see screen shot

Change the AV error redirect page to the IP of your box

Save config, then stop all squid related services. squid, c-icap, clamd. If you needed, killall them in the cmdline or reboot. Then save your config again and it they should all startup

service squid_clamav squidclamav.so
squid_clamav does not exist in /etc/rc.d or the local startup
directories (/usr/local/etc/rc.d)

I edited the config and seen no result so I copy the service command to terminal ssh and I got that. No wonder Clam not starting.. why
Nothing in the folder /usr/local/etc/rc.d regarding Clamav
Dell 2950 g3 server
Intel(R) Xeon(R) CPU E5430 @ 2.66GHz
Current: 2000 MHz, Max: 2667 MHz
8 CPUs: 2 package(s) x 4 core(s)
8152 MiB and 600meg 10k drive
Pfsense 2.4 .. Hoping to get the phpvirtualbox going again.

Offline Cino

  • Hero Member
  • *****
  • Posts: 1516
  • Karma: +61/-2
    • View Profile
Re: suricata, squid3 w/clamd, dansguardian.
« Reply #12 on: January 20, 2015, 09:58:08 am »
service squid_clamav squidclamav.so
squid_clamav does not exist in /etc/rc.d or the local startup
directories (/usr/local/etc/rc.d)

I edited the config and seen no result so I copy the service command to terminal ssh and I got that. No wonder Clam not starting.. why
Nothing in the folder /usr/local/etc/rc.d regarding Clamav


strange... when I installed on a fresh amd64 2.2, the links were created on my box. Have you installed squid3.4 since the 14th? A new PBI was created. Are you using i386 by chance? i've only been testing amd64

Offline Topper727

  • Full Member
  • ***
  • Posts: 245
  • Karma: +25/-0
    • View Profile
Re: suricata, squid3 w/clamd, dansguardian.
« Reply #13 on: January 20, 2015, 09:59:35 am »
I just did fresh install of 2.2 64 bit and clam was not started after those mods.. I rebooted and then clam started but i-cap is now not starting
Dell 2950 g3 server
Intel(R) Xeon(R) CPU E5430 @ 2.66GHz
Current: 2000 MHz, Max: 2667 MHz
8 CPUs: 2 package(s) x 4 core(s)
8152 MiB and 600meg 10k drive
Pfsense 2.4 .. Hoping to get the phpvirtualbox going again.

Offline Cino

  • Hero Member
  • *****
  • Posts: 1516
  • Karma: +61/-2
    • View Profile
Re: suricata, squid3 w/clamd, dansguardian.
« Reply #14 on: January 20, 2015, 10:01:25 am »
anything in your logs to pin point the issue?

pfsense system log
/var/log/c-icap
/var/log/clamav
/var/squid/logs