@justsomeone: Snort wont start after updating some rules. I have un-installed and reinstalled. Any help would be much appreciated. Here are the logs:``` Time Process PID Message Jul 21 15:03:54 php-fpm 40562 /snort/snort_interfaces.php: The command '/usr/local/bin/snort -R 35291 -D -q --suppress-config-log -l /var/log/snort/snort_em035291 --pid-path /var/run --nolock-pidfile -G 35291 -c /usr/local/etc/snort/snort_35291_em0/snort.conf -i em0' returned exit code '1', the output was '' Jul 21 15:03:54 snort 48245 FATAL ERROR: /usr/local/etc/snort/snort_35291_em0/rules/snort.rules(4832) byte_test rule option cannot extract more than 4 bytes without valid string prefix. Jul 21 15:03:53 php-fpm 40562 /snort/snort_interfaces.php: [Snort] Snort START for WAN(em0)... Jul 21 15:03:53 php-fpm 40562 /snort/snort_interfaces.php: Starting Snort on WAN(em0) per user request... Jul 21 15:03:51 php-fpm 40562 /snort/snort_interfaces.php: [Snort] Building new sid-msg.map file for WAN... Jul 21 15:03:50 php-fpm 40562 /snort/snort_interfaces.php: [Snort] Enabling any flowbit-required rules for: WAN... Jul 21 15:03:42 php-fpm 40562 /snort/snort_interfaces.php: [Snort] Updating rules configuration for: WAN ... This error is caused by a mis-written rule signature.  Likely it was updated by the authors but the error was not caught before the rule was added to the update tar ball.  You can find the errant rule and disable it by "decoding" the error message. Here is the snippet of the error message you need: /usr/local/etc/snort/snort_35291_em0/rules/snort.rules(4832) This tells you the file containing the rules where the error happened.  The file is /usr/local/etc/snort/snort_35291_em0/rules/snort.rules, and the error is on line 4832 in that file.  So open the file in an editor, locate line 4832, examine the rule there to find the SID and category and then disable that rule in the GUI on the RULES tab. Bill

@crester: I don't know why but rebooting had worked. 99 times out of 100 this means you had duplicate Snort instances running on the same interface.  To the GUI, one of those process instances is like a zombie and lost.  So any changes made to HOMENET or anything else in the GUI don't get applied to that running zombie process.  Rebooting will kill everything and then you get back to a single Snort instance per configured interface and things are normal. Bill

The GUI package update to accompany the binary update has been posted for review and approval by the pfSense developer team.  Should get merged into the package repository soon.  Here is a link to the Pull Request with details on bug fixes and the new feature in this coming update. https://github.com/pfsense/FreeBSD-ports/pull/393 I will post a full set of release notes after the update is merged into the package repositories and is available for users to install. Bill

I realize this is an old topic - however, maybe someone out there has crossed this bridge and can shed some light on the issue. I am running into the same problem as the OP.  Suricata (Inline - Intel i211) effectively shuts down the WAN interface and runs the CPU up to 100%.  Nothing in the logs indicates a problem, suricata log just goes silent.  A stop / start of Suricata and all is well again. The few times I've encountered this it did not seem to happen during times of high load on the interfaces. OP - Did you have any luck in adjusting buffers?

MrGlasspoole…just to be clear I do not recommend you disable those rules. If you are not getting many alerts "Suppress" might be a better route for you, assuming you have the available resources for your firewall to work harder.

I run Snort on the VLANS and exclude the parent interface, the untagged VLAN on my settup id for LAN management.

And after F*****g with it for the last half hour I hit the start button in the GUI…...and it's running.......

Figured it out, I didn't have a description entered and it wasn't saving my work. Added a description to the alias and it's working now. Edit: Spoke too soon, still not working and it's still blocking that IP.  :(

Check the Package Manager and upgrade Snort, the issue will be gone

I have same issue when I update pfsense after rebooting he update couple of package and failed to update suricata. I have uninstall suricata and re-install it again and working fine now without lose any configuration.

I know this is a bit older, but this request doesnt pumped into any release for the httpd extend custom option, why?

Found them!  OpenAppID rules, I had them all enabled. Logs cleared and back to normal ::)

I'm not sure if you've worked with an IDS before, you really don't want 99.99% alerts IDS detects. Many are false positives. Most important part is to configure your firewall correctly.

I have same issue when I active suricata inline mode it's work for awhile then it's crash with infinity text error on console so i have to turn off power and turn on again. if i use legacy mode it's work fine. I tried below tune without chance to solve issue: net.inet.tcp.tso=0 hw.igb.num_queues=1 hw.pci.enable_msix=0 error message header : Fatal trap 19: non-maskable interrupt trap while in kernel mode Fatal trap 19: non-maskable interrupt trap while in kernel mode cpuid = 0; cpuid = 2; Fatal trap 19: non-maskable interrupt trap while in kernel mode Fatal trap 19: non-maskable interrupt trap while in kernel mode apic id = 04 cpuid = 1; cpuid = 3; instruction pointer      = 0x20:0xffffffff813071e6 apic id = 00 apic id = 02 apic id = 06 stack pointer          = 0x28:0xfffffe0226bc4fe0 instruction pointer    = 0x20:0xffffffff813071e6 frame pointer          = 0x28:0xfffffe0226be88f0 instruction pointer    = 0x20:0xffffffff813071e6 code segment            = base 0x0, limit 0xfffff, type 0x1b stack pointer          = 0x28:0xfffffe01e9df8fe0 stack pointer          = 0x28:0xfffffe0226bccfe0                         = DPL 0, pres 1, long 1, def32 0, gran 1 instruction pointer    = 0x20:0xffffffff813071e6 frame pointer          = 0x28:0xfffffe0226bed8f0 processor eflags        = stack pointer        = 0x28:0xffffffff82978820 interrupt enabled, frame pointer                = 0x28:0xfffffe0226be38f0 IOPL = 0 code segment            = base 0x0, limit 0xfffff, type 0x1b current process        = 11 (idle: cpu2) code segment            = base 0x0, limit 0xfffff, type 0x1b frame pointer          = 0x28:0xfffffe0226bde8f0                         = DPL 0, pres 1, long 1, def32 0, gran 1                         = DPL 0, pres 1, long 1, def32 0, gran 1 code segment            = base 0x0, limit 0xfffff, type 0x1b processor eflags        = processor eflags      = interrupt enabled,                    = DPL 0, pres 1, long 1, def32 0, gran 1 IOPL = 0 processor eflags        = current process              = 11 (idle: cpu3) interrupt enabled, interrupt enabled, IOPL = 0 IOPL = 0 current process        = 11 (idle: cpu0) current process        = 11 (idle: cpu1) timeout stopping cpus [ thread pid 11 tid 100005 ] Stopped at      acpi_cpu_c1+0x6:        popq    %rbp db:0:kdb.enter.default> textdump set textdump set db:0:kdb.enter.default>  capture on db:0:kdb.enter.default>  run lockinfo db:1:lockinfo> show locks No such command db:1:locks>  show alllocks No such command db:1:alllocks>  show lockedvnods Locked vnodes db:0:kdb.enter.default>  show pcpu cpuid        = 2 dynamic pcpu = 0xfffffe02a45b9200 curthread    = 0xfffff80005202500: pid 11 "idle: cpu2" curpcb      = 0xfffffe0226be8b80 fpcurthread  = none idlethread  = 0xfffff80005202500: tid 100005 "idle: cpu2" curpmap      = 0xffffffff829e6300 tssp        = 0xffffffff82a1ebe0 commontssp  = 0xffffffff82a1ebe0 rsp0        = 0xfffffe0226be8b80 gs32p        = 0xffffffff82a25438 ldt          = 0xffffffff82a25478 tss          = 0xffffffff82a25468 db:0:kdb.enter.default>  bt Tracing pid 11 tid 100005 td 0xfffff80005202500 acpi_cpu_c1() at acpi_cpu_c1+0x6/frame 0xfffffe0226be88f0 acpi_cpu_idle() at acpi_cpu_idle+0x2e2/frame 0xfffffe0226be8940 cpu_idle_acpi() at cpu_idle_acpi+0x3f/frame 0xfffffe0226be8960 cpu_idle() at cpu_idle+0x95/frame 0xfffffe0226be8980 sched_idletd() at sched_idletd+0x3d3/frame 0xfffffe0226be8a70 fork_exit() at fork_exit+0x85/frame 0xfffffe0226be8ab0 fork_trampoline() at fork_trampoline+0xe/frame 0xfffffe0226be8ab0 --- trap 0, rip = 0, rsp = 0, rbp = 0 --- db:0:kdb.enter.default>  ps   pid  ppid  pgrp  uid  state  wmesg        wchan        cmd 52152 89222  298    0  S      nanslp  0xffffffff82866b31 sleep 24906  298  298    0  S      accept  0xfffff8000c61306c php-fpm 60283 59946 60283    0  S+      ttyin    0xfffff800080060a8 sh 59946 59726 59946    0  S+      wait    0xfffff8006e8c3528 sh 59726    1 59726    0  Ss+    wait    0xfffff8000c7ad528 login 89222    1  298    0  S      wait    0xfffff8000c967528 sh 88607    1 88607  136  Ss      select  0xfffff8000c298040 dhcpd 77035    1 77035    59  Ss      (threaded)                  unbound 100654                  S      kqread  0xfffff8000c9cae00 unbound 100691                  S      kqread  0xfffff8000c9c5b00 unbound 100692                  S      kqread  0xfffff8000c489000 unbound 100693                  S      kqread  0xfffff8000c9b0600 unbound 64289    1 64289    0  Ss      (threaded)                  dpinger anyone can help us on this matter . Thanks

I think the issue is their servers. I am from Hong Kong and I have the exact error, when I try to go to www.ifs.edu.br, it displayed a firewall message saying it has a Geo-IP Block of Hong Kong. When i try to go to the website again using a VPN in the US, it display the website just fine. anyway work around this? its definitely a GEO block. anyway to contact them? or maybe if someone knows the url? I can download the rules on a public server add a DNS override and on the firewall

Follow the instructions I give here:  https://forum.pfsense.org/index.php?topic=127764.msg731895#msg731895 to remove Snort, clean up the older shared-object libraries and reinstall Snort. Bill

@Khampol: Hi, After an update manual today, well snort refuse the start…. See this in LOG : FATAL ERROR: The dynamic detection library "/usr/local/lib/snort_dynamicrules/server-webapp.so" version 1.0 compiled with dynamic engine library version 2.6 isn't compatible with the current dynamic engine library "/usr/local/lib/snort_dynamicengine/libsf_engine.so" version 3.0. ::) ::) ::) Two things:  (1) do you have the latest Snort package installed?  (2) did you do a "remove and then reinstall" when updating the Snort package? Sounds like you have a problem another user had.  You have old versions of the precompiled shared-object rules libraries hanging around on your system.  To remove them, do the following: (1) Remove the Snort package (2) Get to a CLI (command line) prompt on the firewall and delete any "snort" directories you find in the /usr/local/lib path. (3) Install the Snort package again The above steps will not cause you to lose any configuration data so long as "save settings" is enabled on the GLOBAL SETTINGS tab.  That setting is "on" by default. Bill