IDS/IPS

pfsense 26.03-RELEASE (amd64) running Suricata keeps crashing.

pvanderlaat — Sun, 10 May 2026 13:37:52 GMT

I was able to resolve the issue by reinstalling suricata package in pfsense.

PHP Fatal error: preg_replace()

mtrade — Sat, 09 May 2026 17:11:29 GMT

Checking to see if I should create a bug report. I searched and didn't find related discussion.

Trying to navigate to Active Rules for an interface yields a blank (white) page.

I have a Netgate 4200 MAX, 26.03-RELEASE (amd64).

In Global Settings I have Snort VRT with code, Enable ET Open, Enable OpenAppID + Text Rules, Enable FEODO Tracker Botnet C2 IP Rules

Services / Snort Interface Settings / PORT1WAN - Categories

Resolve Flowbits
Use IPS Policy : Security
Mode : Policy

Services / Snort Interface Settings / PORT1WAN - Rules

Trying to view the Available Rule Categories, selecting Active Rules causes a momentary spin, then a blank page.

Then on the dashboard there is an error report link:

Crash report begins.  Anonymous machine information:

amd64
16.0-CURRENT
FreeBSD 16.0-CURRENT #36 plus-RELENG_26_03-n256531-4923e82e59d1: Fri Mar 20 18:22:49 UTC 2026     root@pfsense-build-release-amd64-1.eng.atx.netgate.com:/var/jenkins/workspace/pfSense-Plus-snapshots-26_03-main/obj/amd64/TVcqnR7U/var/jenkins/workspace/pfSe

Crash report details:

PHP Errors:
[09-May-2026 11:35:01 US/Central] PHP Fatal error:  preg_replace(): Cannot use output buffering in output buffering display handlers in /usr/local/www/csrf/csrf-magic.php on line 163
Stack trace:
#0 /usr/local/www/csrf/csrf-magic.php(163): preg_replace()
#1 [internal function]: csrf_ob_handler()
#2 {main}

No FreeBSD crash data found.

Does Snort Inline Blocking Effect All Interfaces?

planedrop — Thu, 07 May 2026 03:01:47 GMT

One thing I've been confused about as I dive into Snort more in pfSense is the blocking modes. In most cases I'd prefer to have inline since it can stop packets before any get to the destination, however, inline mode is described in a lot of posts as being in between the host stack and the "physical interface".

I'm curious if enabling this impacts more VLANs or if it just impacts the selected VLAN I have Snort running on in this environment.

Any ideas?

On an additional note, does this change require a reboot or anything along those lines?

SNORT

BobL4002 — Wed, 22 Apr 2026 18:19:20 GMT

After upgrade to v25.11.1 my console is filled with log entries from SNORT. I have turned off logging but still getting large influx of messages

Suricata 7.0.8_13 Crash on 26.03

jpv9 — Thu, 02 Apr 2026 03:21:29 GMT

@SteveITS I'm not a bug hunter but I wanted to report some findings which might help with troubleshooting this issue. I have two 6100s [26.03-RELEASE] - one with a single WAN Legacy interface in Suricata, the other with two WAN Legacy interfaces in Suricata. On the assumption that perhaps it might have been a misconfiguration issue during my recent package upgrade, and not finding any direction on how to downgrade, I decided to try directly altered the two instances of "7.0.8_13" back to "7.0.8_8" in /cf/conf/config.xml file and then immediately reinstall the package under the normal package manager. This of course still results in the "7.0.8_13" version, but I thought it might find and address additional configuration issues. The result was that the configuration for the single WAN interface was completely lost and had to be rebuilt from scratch, whilst the firewall with two Suricata WAN interface configurations survived but both interfaces needed to be manually restarted (did not come back online automatically). After rebuilding the single interface and restarting the two interfaces, both had no issues with opening and displaying the BLOCKS page (without using the patch). Whilst I have no idea why it worked, i thought it might help some people out there.

Is it possible to implement true block offender's IP if IPS is in inline mode?

lokapal — Fri, 27 Mar 2026 12:20:56 GMT

Hello, friendly pfSense community :-)

We have a /24 real IPs network behind pfSense, Suricata and pfBlockerNG (pfSense 2.8.1, Suricata 7.0.8_5). I'm looking for a way to combine the best features of both Legacy and Inline IPS modes. I.e. how to block offending IP totally for a good measure of time (3-6 hours) totally if the rule was activated and packet dropped? We switched from "Legacy" to "Inline" mode, and immediately our logs were full of single-type messages, along with attempts to brute-force attack SSH ports on our servers. From the same IP address, over 2,000 were reached in just 10 hours. It really messes up the log files. The best thing to do would be to use something like fail2ban in Linux. This would allow you to allow two to five attempts in two minutes, and then a total ban for 6 to 12 hours for the same IP address.

Suricata 7.0.8_5 on pfsense 2.8.1 hangs after enabling

aGeekhere — Mon, 16 Mar 2026 10:59:28 GMT

Wanted to test Suricata with a basic config
Suricata 7.0.8_5 on pfsense 2.8.1 internet and network hangs after enabling, unbound service stops, ISC DHCP Server stops. I have to disable Suricata and reboot to fix it.

Cannot seem to find the logs that shows what the issue is.

Services Suricata Global Settings
ETOpen is a free open source set of Suricata rules whose coverage is more limited than ETPro. - Checked
Use a custom URL for ETOpen downloads - Checked
Install Feodo Tracker Botnet C2 IP rules - Checked
Install ABUSE.ch SSL Blacklist rules - Checked

ETOpen Custom Rule Download URL
https://rules.emergingthreats.net/open/suricata-7.0.8/emerging.rules.tar.gz

Services Suricata LAN - Interface Settings
Interface LAN
Alert and Block Settings - Unchecked (doing IDS-only atm)

Services Suricata Interface Settings LAN - Categories

ONLY Feodo Tracker Botnet C2 IP Rules is checked

AMD Ryzen 5 5600G with Radeon Graphics
12 CPUs : 1 package(s) x 6 core(s) x 2 hardware threads
AES-NI CPU Crypto: Yes (active)
QAT Crypto: No
Memory 16GB memory
Ethernet Controller 10-Gigabit X540-AT2

Hardware Checksum Offloading - Unchecked
Hardware TCP Segmentation Offloading - Unchecked
Hardware Large Receive Offloading - Unchecked
hn ALTQ support - Checked

I did leave it for 10 mins but the network was still down, not sure what i am doing wrong.

Snort SID Management Syntax

bmeeks — Tue, 17 Feb 2026 11:44:42 GMT

The physical files themselves (the sample SID Management Configuration files) are installed with the Snort package into /var/db/snort. Then, if it's a first-time green field installation, the contents of those sample files are migrated into the config.xml file of the firewall as Base64 encoded text by the post-installation script and stored there from then on. If they are not showing for the OP, then somehow they were accidentally deleted is my best guess. The GUI will allow them to be deleted.

Snort 4.1.7_3 - Alerts tab link in GID:SID column goes to a snort.org URL with document missing

Shawesome — Sat, 31 Jan 2026 18:03:32 GMT

@bmeeks: Great advice, thanks again.

Snort Alerts for a connection without FW rule

SteveITS — Sun, 25 Jan 2026 10:47:10 GMT

@elmnts shouldnt I see the initial connect in the Snort log Depends on the rule. E.g. packets from a listed IP.

Looks Like I Broke Snort

bmeeks — Mon, 19 Jan 2026 17:47:43 GMT

It's very simple to test the functionality of Snort. Install nmap on any laptop or PC on your network. Run a simple SYN scan against the firewall's interface IP for a network that has a Snort instance running on it with the Emerging Threats SCAN rule set enabled. nmap -sS If the above command generates connection attempt alerts, then Snort on that interface is working. If you see nothing, then Snort is either not actually running or the needed rules are not installed/enabled. Note that you won't get blocks from this test because the firewall interface IPs should all be in the automatic Pass List, but you will see ALERTS from the attempts.

configure Suricata with Wazuh

detox — Fri, 21 Nov 2025 14:13:48 GMT

hello all!

I am attempting to incorporate Wazuh into my network security. The Wazuh site states

"There are several ways to integrate pfSense with Wazuh. The easiest method is syslog, but you can also use the Wazuh agent. Wazuh agent (native package for pfSense) is already pre-installed In pfSense which is available in Yandex Cloud Marketplace/VK Cloud Marketplace. Therefore, you can start setting up immediately, bypassing the installation process."

I do not see one. It then explains how to use by configuring Suricata, and finally, it explains how to import the syslog itself. But all reference restarting the "Agent".

Several sites show how to 'fix' pfsense to get packages directly from FreeBSD repositories, but that seems to be fairly dangerous.

So does anyone have a reference on how to send syslogs from PfSense to Wazuh without "backdoor tinkering"?

Thanks

So why is Netflix hitting me with Dradis?

ssullivan556 — Fri, 21 Nov 2025 07:28:19 GMT

@Patch said in So why is Netflix hitting me with Dradis?: The information they are after on your device is screen fingerprinting (to identify content played not from them). And any thing else they can see on your network. The overall effect is a rather high price for a country. Clearly an individual can’t change this on their own but neither must an individual accept or support it. Interested in a source for the claims. I thought targeted advertising was frighteningly cheap?

Suricata not starting on Netgate 8200

DARA — Sat, 08 Nov 2025 15:46:47 GMT

Hello team,

I have a Netgate 8200 running 24.11-RELEASE (amd64) with Suricata 7.0.8_5 package installed. Suricata doesn't seem to start. It loops to red once I press the Play button on the interface.
It leaves no logs in the System logs, it leaves no logs in suricata.log at

/var/log/suricata/suricata_ovpns933787/suricata.log

I tried launching it manually:

# /usr/local/bin/suricata -V

# /usr/local/bin/suricata -c  /usr/local/etc/suricata/suricata_33787_ovpns9/suricata.yaml -i suricata_ovpns933787

and I get this output

ld-elf.so.1: /usr/local/bin/suricata: Undefined symbol "__strlcpy_chk@FBSD_1.8"

Thanks in advance,
Dara

suricata vulnerability CVE-2025-12490

tinfoilmatt — Fri, 07 Nov 2025 17:19:35 GMT

Here. I think. Referenced as "github.com: vendor-provided URL vendor-advisory" in your link.

Suricata ETOpen rules failing to update

RedDelPaPa — Sun, 02 Nov 2025 15:26:12 GMT

@bmeeks Understood. Thank for kindly for your help. I will likely be ordering a new unit soon.

Forwarding Suricata Logs to ELK or Graylog

b3rt — Mon, 27 Oct 2025 10:59:12 GMT

@Greyhat I think it's useful to work with what we've got and figure something out for the (i hope) edge cases later. So for the JSON I figured you can actually use an existing suricata integration by co-opting their pipelines.

Throughput drop on Netgate 8200 MAX LAN/VLAN (ix1) with Suricata inline mode

bmeeks — Tue, 14 Oct 2025 01:42:42 GMT

@smsigroupit said in Throughput drop on Netgate 8200 MAX LAN/VLAN (ix1) with Suricata inline mode: @bmeeks Thank you for the reply. Switching Suricata’s Run Mode to Workers resolved the throughput drop. Really appreciate the help! Ah --- yes. I forgot to mention trying Workers Run Mode in my previous post. Workers mode allows the netmap packet handling module to avoid the need to lock the netmap rings during critical functions.

Clear NDR. Could pfSense team take a look and may be replace Suricata with this?

Antibiotic — Mon, 06 Oct 2025 20:56:31 GMT

@bmeeks There community edition as well, when I'm asked about pfSense package, I mean community edtition. Plus Suricata 8.0 a huge step forward from previous releases.BTW any plan to integrate Suricata 8.0 in pfSense? https://www.stamus-networks.com/clear-ndr-community.

Suricata 7.0.8_3 IPS Mode Not Blocking on pfSense 2.8.1

kkierii — Wed, 17 Sep 2025 18:55:53 GMT

@SteveITS Pass lists are completely blank. there are some blocks that have occured so it seems to be blocking some things.

DPI (Deep Packet Inspection) and pfSense

beloc — Mon, 15 Sep 2025 19:54:53 GMT

@SteveITS Thank you for the reply. I understand. Hopefully its picked back up.

Patch notes for suricata 7.0.8_3?

bmeeks — Wed, 10 Sep 2025 02:55:42 GMT

It was all CVE fixes in the PHP GUI part of the package. See the Redmine ticket here: https://redmine.pfsense.org/issues/16414.

Snort Alert list explanation

SteveITS — Mon, 08 Sep 2025 22:32:22 GMT

@icoso said in Snort Alert list explanation: If I only run it on the LAN ports wouldn't that only prevent my users from going outbound to certain IP's? I think you're misunderstanding how it works. In legacy mode it will check for "bad" packets going past the router, and add the "bad" IP to a table/alias, and the firewall will block packets to/from that table. It is not directional in the sense of "it's on LAN so only watches outbound." Running it on LAN also identifies which internal device triggered the rule because otherwise on WAN it is after NAT, since it's outside the firewall. You can run it on WAN, sure. Some do if they have a lot of internal interfaces and don't want that many Snort/Suricata processes running. It's a tradeoff of "scanning packets that will never actually arrive" vs convenience/RAM usage. Here is the setting I mentioned in Suricata; the packages are similar to maybe Snort has it also: [image: 1757427238489-8223c7ca-ba6c-4503-8668-2b7c03e597ef-image.png] However, on the Snort interface settings click the View List button by "IP Pass List" and you'll see which IPs are ignored by default.

Feodo Tracker Botnet C2 IP Rules down for almost 48h

fireodo — Sun, 07 Sep 2025 07:30:19 GMT

@Gradius said in Feodo Tracker Botnet C2 IP Rules down for almost 48h: Any mirror or alternative ? No - AFAIK ... Edit (08.09.2025): Its UP again!

Suricata log mgmt settings ineffective

skogs — Sat, 06 Sep 2025 03:36:04 GMT

I have struggled with the log sizes getting too big and then the web pages refusing to list things on them (alerts/blocks pages show empty in UI). Clearing the logs manually instantly fixes the UI issue. I think the problem is the fact that logs can grow quite quickly and that relying on the log rotation can lead to a (very minimal) denial of service type event. I've thought about mucking with how often it rotates but as long as I'm not being legit DDOS'd it is just a nuisance. Suricata still clearly works. The firewall itself clearly works. The only real problem is UI issues when attempting to do a real investigation or troubleshoot. One can work around that manually. Of course somebody will simply say turn suricata off on the external interface. No. Occasionally good research happens there.