@bmeeks That's exactly what I did, except it overwrote the first file instead of creating a 5th. I'm not sure why. I can still change the names back and can get it to reproduce the same problem. Thanks for the help. At least I'm now able to add the extra conf files that I needed.

I've added it to my TODO feature list for Suricata.

Yeah, that's not supposed to happen. I will put it on my TODO list of bugs to fix. In the meantime, here is how to disable the feature if you want to stop using it. The steps below turn off the functionality of SID MGMT. Click the checkbox so the page info is displayed on the SID MGMT tab. Down at the bottom of the page, make sure all of the drop-down selectors for the Enable SID List, Disable SID List and Modify SID List are set to "none". Now click Save. If you want to immediately rebuild the rules for each configured interface, click the Rebuild checkbox beside each interface before clicking Save. This will remove the list assignment and thus no SID MGMT settings will be used.

This issue is now corrected in the latest version of the Snort package (v3.2.9.9_1 for pfSense-2.4.4_3 and v4.0_6 for pfSense-2.5-DEVEL).

@haroldye said in Snort can not update. it gose unknow all the time: Thank you very much You are welcome. Sorry for the confusion. I just posted a notice in the IDS/IPS forum so if others run into this they will know what's going on.

@everfree said in Snort v3.2.9.9 - not blocking?: Suricata 4.1.4_5 Legacy Mode blocking not actually blocking offender IPs in some setups. I have the "Which IP to Block" setting on BOTH. I think it is not fixed fully. You posted in a Snort 3.2.9.9 thread, so I read your initial post quickly and missed the Suricata part in the message. Sorry about that. I automatically assumed you were posting about a Snort issue. I get a lot of messages from various users and sometimes get all the different posts confused. I will need to check on Suricata using a test VM. Just noticed this post this morning in another thread for a different user: https://forum.netgate.com/topic/145891/my-suricata-not-blocking-legacy-mode. Look in your suricata.log file for the interface and see if a similar message is shown for your system.

@NollipfSense said in Suricata Inline and Rules: @bmeeks said in Suricata Inline and Rules: A corporate network does not want employees to have access to iTunes, Hulu, Netflix, etc. They want that stopped, so they configure security that way. A home network most definitely generally wants those services available, so you can't just go copying someone's list of rules and suppress listings unless you fully understand what those rules are actually doing. I understand Bill; however, all rules under stream-events.rule had been disabled as well as the only iTunes rule under Emerging-policy.rule had been disabled. I believe the author was from England. What about these two rules: 1:2009582 ET SCAN NMAP -ss window 1024 and 1:2027863 ET INFO Observed DNS Query to .biz TLD...I am getting lots alert so they were dropped. My opinion, and the advice I give home network users, is to enable the Snort rules download and then enable the IPS Policy - Connectivity setting. That's really all you need. Enable no other rules. That provides plenty of protection from most of the threats out there, especially if you keep your Windows machines updated with the latest security patches (in other words, leave Windows Update enabled and have your machines on a UPS so they just are on all the time and update late at night). If an admin has a good bit of IDS/IPS experience and also quite a bit of networking theory knowledge, then he can experiment with maybe the IPS Policy - Balanced setting and perhaps enable some additional Emerging Threats rules. But be prepared to have Google on speed-dial so you can quickly research potential false positives. All those events rules provided with a default Suricata installation are designed to simply detect deviations from RFC behaviors. They are triggering on protocol anomalies, and nearly 100% of the time those anomalies are completely harmless. So never set those rules to DROP, and if the alerts bother you, then disable those rules entirely. But don't obsess with them triggering, as they tend to false positive like crazy. Those ET DNS query rules are also only marginally useful at best. As you see, they will trigger quite often on even normal web traffic. Some of them will even false positive fairly often. For home users these kinds of rules are more of a bother than an addition to security. I don't run them on my system. If you keep your PC software updated, that's 95% or more of the network security battle won right there! Some IDS/IPS users want to start out with a whole bunch of enabled rules because they think it will make their setup "secure", but they quickly get frustrated because so many things (apps) get broken - and sometimes in very strange ways. Take my advice, keep it simple for many months as you get your feet wet administering an IDS/IPS. I have what I believe is a very secure setup for my home network using Snort. I may one day get zapped with a zero-day -- who knows, but I am pretty confident that my setup is secure. And my iTunes works, my Netflix works, my Facebook and YouTube videos work, and all the web sites I visit open up and display properly. I honestly do not know the last time Snort crashed or gave me any issue on my firewall, and I've been running it for many years. I get maybe one alert per month on average on my LAN from Snort. I do get several an hour on my WAN, but that's simply because I run a handful of ET rules there solely to generate alerts on purpose so I have data to use when I'm working on Snort package development tasks.

@Simbad said in Snort v3.2.9.9 Package Update - Release Notes (for pfSense-2.4.4 RELEASE): Thank you, I'll bury my head in logs like an ostrich in the ground,... [image: 1566154485077-7566b68f-a11d-4f84-9fca-df8455d0a495-image.png] I would recommend first temporarily turning off the option for sending alerts to syslog. Do that for all interfaces and then restart Snort on all interfaces. That will make for a quieter log where other messages will more easily stand out. Once you track down the problem with the troublesome interface, you can re-enable the syslog alert output.

@ffuentes said in Adding custom rule: I added the following to the cutom.rules: alert tcp $EXTERNAL_NET any -> any 25 (msg:"SMTP AUTH LOGON brute force attempt"; content:"AUTH LOGIN"; nocase; classtype:suspicious-login; sid:1000001; rev:2;) alert tcp $SMTP_SERVERS 25 -> $EXTERNAL_NET any (msg:"SMTP AUTH bruteforce attack"; content:"535 Incorrect authentication data."; nocase; classtype:attempted-user; threshold:type threshold, track by_src, count 2, seconds 60; sid:1000500; rev:6;) I am trying to alleviate the rash of auth failures spammers/bots are causing to our mail server. Once I added to teh cutom.rules the system validates it and reloads. Than I just sit and wait but I see nothing been blocked.... I look at my mail server logs and I still see: 535 Incorrect authentication data. Am I doing this wrong? TIA! If you are not seeing alerts for your custom rule, then that means it is written incorrectly. By that I don't mean a syntax error, but instead the conditions you specify in order to trigger the rule are not being detected. Here are some suggestions: Make sure that on the VARIABLES tab you have actually assigned a correct alias or IP address to the $SMTP_SERVERS variable. The best way to do this is create a firewall alias containing the correct IP address or addresses and then make sure that alias is defined for the SMTP_SERVERS variable on the VARIABLES tab for the Snort interface. You may also need to grab some packet captures to be sure you have the exact strings contained within your rules. Finally, the advice of @NollipfSense only applies to you if you are running Suricata and using Inline IPS Mode, or only if you are running the Snort 4.0 package on pfSense-2.5 DEVEL and using the new Inline IPS Mode there. If you are using the Snort package on pfSense-2.4.4, then you do not change rule actions because there is no Inline IPS mode available.