Thanks jeffh, this is what I have been looking for:)

It would be nice if there was a way to send an IP through to the firewall to be blocked directly from the Snort interface. The reason I was thinking of doing it was just to preemptively block IPs that I consider bad. Anything trying to access RDP on my firewall is "attacking" me in some way so if I were to block them when I saw the RDP  connections, which wouldn't achieve anything, it may save me when they switch to SSH which is open and could cause problems.

I tried 2983 before, but there was a suricata update that I installed yesterday and the snort rules snapshot downloaded… So just in case none of the suggestions work, try to update the package.

By disabling the offending rule. No idea which one is blocking search engines from websites, but sure like hell must have been a genius upstream to enable that.  ::)

reboot pfsense

Already tried to get support from NetGate…. mentioned that in my post... they wouldn't help with Suricata - period.  So, I'm stuck with "the community".  I understand no one here is obligated to help anyone else, and that is fine, but the lack of enthusiasm for Suricata in general on these forums kind of bugs me. I can't run Suricata in Inline mode and I'm cool waiting for that.  I'd just drop back to Snort, which has enthusiastic support here, except for the fact that it can only scan ~20% of my traffic... I might as well turn it off.  Suricata examines over 99.5% of my traffic, except right now, it won't start on my only blocking interface, but only on the primary of my HA pair.  It starts fine on the backup firewall, so there is some kind of lower level corruption of the config files on my primary, but that is as far as I can troubleshoot. Just venting now... I'll shut up and get back to rebuilding my firewall.  :-\ UPDATE: After a complete rebuild of my primary firewall AND a hardware change from Intel X710 adapters to Intel X520 adapters, Suricata is now humming along in Inline mode.  I want to thank those who responded helpfully to my posts during the process and especially thank Bill Meeks for maintaining the Suricata package.

@BBcan177 Thanks for chiming in. I didn't want to hijack the thread ;) but in my case I'm looking forward to more insights of the per VLAN/subnet setting. Our use case would be to protect various customer project networks, all separated into different VLANs/subnets that are routed via our Firewall. All those networks get connected via our DC WAN line. But as only two or three customers ask about IDS/IPS usage, we'd like to setup snort (or suricata for that matte) in a way, it listens on WAN but only intercepts/filters/blocks traffic belonging to those customers and leave all other traffic alone. As different customers may have different needs a per customer (-> per public IP/per VLAN) configuration would be needed for that (IMHO), so that's the question I have if such a setup is possible at all. Greets

I'm currently only monitoring to fine-tune the ruleset since its been a while since I used snort. It alerted on a couple of IPv6 packets for 1:2018959  ET POLICY PE EXE or DLL Windows file download HTTP

look like your machine making normal domain name queries to ns3.google.com

Hi At my Snort > Preprocessors and Flow > LAN > Portscan Detection Enable: X Protocol: all Scan Type: all Sensitivity: medium Memory Cap: 10000000 Ignore Scanners: Ignore Scanned: I did a nmpap scan over the pfSense LAN IP: nmap -T4 -A -v 192.168.0.254 … Discovered open port 443/tcp on 192.168.0.254 Discovered open port 53/tcp on 192.168.0.254 Discovered open port 22/tcp on 192.168.0.254 ... And at Snort, LAN alerts: 2016-11-17 20:37:39 3 TCP Unknown Traffic 192.168.0.254   8081 192.168.0.12   51052 120:3   (http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE 2016-11-17 20:37:10 3 TCP Unknown Traffic 192.168.0.254   8081 192.168.0.12   50965 120:3   (http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE And other nmap scan from one host at LAN to remote host at Inet, none alert!!! OK, I will try what you say … Regards

Same traffic. Fresh squid install, pf 2.3.2, squid 0.4.23_1 Antivirus breaks the internet with the aforementioned error message on numerous sites (most, actually) Tried to run the a/v update, get this in the realtime tab: WARNING: Clamd was NOT notified: Can't connect to clamd through /var/run/clamav/clamd.sock: No such file or directory a/v disabled for now, which is really too bad…...

What ttblum post is all you really need and everything else is self explanatory but here is the pass list: https://doc.pfsense.org/index.php/Snort_passlist

First I try to answer your questions in your first post: 1, E.g. Imagine one day a zero day vulnerability is discovered in the openvpn software. With your updated snort ruleset you can protect your unpatched device against disclosing this vulnerability. 2, The example above applies here again. Because the manner TCP connections work snort will block the answer (reply to a LAN connection) coming to your WAN interface if a rule is matching the packet. So in this situation it "doesn't matter" whether a port is closed on your firewall or not. 3, E.g. You accidently or by mistake click to a link in an email message that points to a crypto malware file that would encrypt your whole disk. Snort will block the connection and save you from a catastrophic situation. 4, Pfblockerng will broaden the IPS function by blocking known malicious, attacking IP addresses and DNS addresses thus further protecting your network against malware, spam, ransomware and other threats. As far as I can tell by reading your second post, that you are not sure why to protect the traffic coming from the LAN interface. Your network could be attacked not just from the Internet. E.g. someone connects an infected USB drive to a computer in your network which spreads over all the machines. This infection could send private data out of your network BUT snort could block this too.

The source on mine was the yoyo adserver list I had enabled in pfblockerNG package.

omg, i have been getting a similar trojan alert and its driving me mad trying to work out where it is coming from https://forum.pfsense.org/index.php?topic=121123.0 i also have ublock origin, but my snort rule is only showing src as WAN. now how can i tell if this is a false positive if i cant find the local ip

Hi. I do not know if tthis akamai server is compromised. But you can submit the "false positive" (or bug) to Snort if you have a registred user in community:: https://www.snort.org/community#submit_bug Regards.

In other words : unchecking Local Networks from the pass list seems to have no effect.  :( Could it be a cosmetic issue, while clicking "View list"  ? (don't think so…) Also tried to overload HOME_NET value in Advanced Configuration Pass-Through, but Advanced Configuration Pass-Through seems to be broken too (encoded while config is saved).  :(