Not exactly sure what's the question here, obviously depends on the interface. If you have FPs, disable the offending rules.

Thank you

I have a HP NC365T quad nic and seems to run (wan only)  in-line Suricata 3.1.2 on pfSense 2.3.3_1 fine. When I was running speedtest, I did get an Suricata alert "SURICATA STREAM excessive".

Doktornotor, yes, I'm using my snort as you said it, in in-line mode, like the bridge between two network segments (between my ISP router and my main firewall). Now, would you tell me if this way, setting my wan ip on passlists, would not open some security hole in my network? I think it might not block some kind of threat, I do not know. If you do not see problem I will leave it configured this way, with ip of wan added in the passlist.

Thanks a lot, pfBasic. It really opened my eyes on that point. I'll analyze the logs for a while before applying lock.

I actually just happened to post a thread on how to keep your snort2c table persistent. When you updated you had to reboot, anytime you reboot your blocked hosts lists will be flushed. Just follow the instructions here and you can keep your lists! It's actually really easy. https://forum.pfsense.org/index.php?topic=126997.0

I do have VPN setup on my server and also the client on my phone. I will need to gives this a test. Thanks,

Have you tried the service watchdog package? It sounds like it is written to do exactly what you want. EDIT: Maybe not exactly what you want, it doesn't work on a per interface basis. I don't know if it will work for you but it should if your system keeps marking the suricata service as down for some reason.

OK thank you, I figured that would be the answer. I ended up just disabling & modifying some rules so that it's no longer a problem.

I didn't know Snort could do this, and after a quick bit of searching I'm not convinced that the current version of Snort can do SNMP. I found some references to pre 2.0 Snort and SNMP, and some references to third party plugins, but nothing in the manual for 2.9.9 mentions sending alert info via SNMP. If your RMM supports Syslog you could use it.

Did you enable Port scan detection? General preprocessor settings section –> enable 'Portscan Detection'

Hello, Suricata 3.2.1 is available on Fresh ports.

I saw this in the logs after the update: /etc/rc.packages: [Snort] Removing all blocked hosts from <snort2c>table… /etc/rc.packages: [Snort] Removing package files… /etc/rc.packages: [Snort] Not saving settings… all Snort configuration info and logs will be deleted... /etc/rc.packages: [Snort] Flushing <snort2c>firewall table to remove addresses blocked by Snort… /etc/rc.packages: [Snort] The package has been completely removed from this system.</snort2c></snort2c> Snort showed up in Installed packages with "newer version available". Tried to update: Removing snort components… Menu items... done. Services... done. Loading package instructions... pfSense-pkg-snort-3.2.9.1_14: missing file /usr/local/share/licenses/pfSense-pkg-snort-3.2.9.1_14/ESF pfSense-pkg-snort-3.2.9.1_14: missing file /usr/local/share/licenses/pfSense-pkg-snort-3.2.9.1_14/LICENSE pfSense-pkg-snort-3.2.9.1_14: missing file /usr/local/share/licenses/pfSense-pkg-snort-3.2.9.1_14/catalog.mk pkg: Fail to rename /var/db/snort/sidmods/.disablesid-sample.conf.xmxAXuJE48b4 -> /var/db/snort/sidmods/disablesid-sample.conf: No such file or directory Failed Removed package. It threw some errors (attached). Rebooted. Installed snort again without a problem. It now shows up in services and my settings are there too. Have you tried turning it off and on again? [snort package removal error.txt](/public/imported_attachments/1/snort package removal error.txt)

The only way that I could find to fix this, after serious testing, was to do a full reinstall, and restoring the backup configuration. The topic can be closed.

First thing of rule in security for me is never use someone else rules or whitelist. You as the administrator of your network should know it best and determine what is good and what is not. From your alert ip: 2017-02-23 11:55:30  3  TCP  Unknown Traffic  192.168.0.12     88  192.168.0.10     3871  120:3     (http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE Should .12 accessing .10? Is so then for what reason? Is it device or server compromise? If so did you check logs or do a wireshark capture? Things you need to ask. 2017-02-23 11:52:08  3  TCP  Unknown Traffic  151.101.124.84     80  192.168.0.15     34412  119:31     (http_inspect) UNKNOWN METHOD 151.101.124.84 seems to be pinterest. Is .15 a device that is accessing pinterest at the moment is pinterest block? Content not showing? Most of the time http_inspect are errors with HTTP conversation. But not all the case, sometimes these can be some sort of consolidated attack on your servers or possibly of trying to use them in an attack against another server or servers. In this case most likely not and consider safe if it isn't affecting the website or content I just leave it along. Hope that helps.

Yeah, remove and reinstall the package.

And why on earth is security software still using MD5?! :(