Jump to content
RESET Forums (homeservershow.com)
oj88

AdTrap - the internet is yours again

Recommended Posts

oj88

Ok, my Linux-incompetence is starting to catch up. I've got VIP access to the I-Blocklist and I see a number of formats: p2p, dat, cidr, and hosts (all in .gz archive). Which should I choose?

 

Next, which is best to use this list with and how?

 

1. Dansguardian

2. Squidguard

3. PfBlocker

 

Thanks in advanced.

Share this post


Link to post
Share on other sites
Jason

I too recently subscribed to iblocklist and am using their default gzip (gz) format with pfsense's pfblocker.

 

While I've noticed a significant # of packets being caught which I assume is an indicator it is working, I find myself spending more time appending to my pfblocker custom exception list of CIDRs that I wish to allow outbound access from client PCs. In fact, adding exceptions has become so tedious I've considered disabling pfblocker.

 

Often am unaware of the many IPs being used by common tasks. Instead I must watch a site block occur, either try to ping the domain to return the IP or look in NTOP for the attempted packet destinations. Then add the x.x.x.0/24 CIDR to my exemption list. Surely there's a better way?

Share this post


Link to post
Share on other sites
Drashna Jaelre

You want the CIDR for pfBlocker.

 

And as for allowing sites/IPs.... not really. That's the problem with security. Either you have to be very lax, and hopeful. Or you have to be draconic. :(

Share this post


Link to post
Share on other sites
Jason

Is there a a better method for finding out the CIDRs to make exempt than what I'm doing? Seems tedious. Guessing IPs, trying to ping, then adding x.x.x.0/24 as the CIDR?

Share this post


Link to post
Share on other sites
Drashna Jaelre

Not really that I've seen. :(

 

If you are concerned more about hackers, then Snort may be a better choice. But if you want to filter content...

Share this post


Link to post
Share on other sites
awraynor

Good to know. Any known sources of good lists? Been considering building a test untangle box to compare to pfsense but only have overpowered old hardware. For example an EP45-UD3P w Q9550 quad core CPU and dual NIC motherboard that would require a video card. My pfsense machine is on an extremely energy efficient supermicro atom build.

 

Running my Hackintosh (Mountain Lion) on this hardware.

Share this post


Link to post
Share on other sites
Jason

Not really that I've seen. :(

 

If you are concerned more about hackers, then Snort may be a better choice. But if you want to filter content...

Am currently running both snort and pfblocker. Though snort never appears to block anything.

Share this post


Link to post
Share on other sites
revengineer

Unless I am mistaken, the purpose of snort is to identify violations only. On my firewall I need a separate addin to block the violations.

Share this post


Link to post
Share on other sites
Jason

Unless I am mistaken, the purpose of snort is to identify violations only. On my firewall I need a separate addin to block the violations.

Snort both identifies and blocks violations depending on how you have it configured. You can then suppress certain rules and enable/disable the categories to enforce.

Share this post


Link to post
Share on other sites
revengineer

Snort both identifies and blocks violations depending on how you have it configured. You can then suppress certain rules and enable/disable the categories to enforce.

 

I only use it on default SmoothWall there it's ID only. Their FAQ says:

 

 

 

Snort is an open source network intrusion prevention system, capable of performing real-time traffic analysis and packet logging on IP networks. It can perform protocol analysis, content searching/matching, and can be used to detect a variety of attacks and probes, such as buffer overflows, stealth port scans, CGI attacks, SMB probes, OS fingerprinting attempts, and much more.

 

so apparently there is a prevention component. However, having configured snort previously manually I found that the program has one of the worst documentation I have ever seen, and I was unable to find how the prevention part works. Bottom line though is that snort functionality exposed to the user depends on system integration.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now



×
×
  • Create New...