Snort 2.9.8.0 will be along soon.  Working on converting the GUI to Bootstrap, and was trying to get that finished before updating the binary.  If the Bootstrap conversion drags out too long, I can post a Pull Request to update the binary to 2.9.8.0. As for Suricata, it too is being converted to Bootstrap.  One of the pfSense developers is helping with (actually he is doing) the work.  He also has other responsibilities, and the Suricata conversion is a bit behind schedule.  I have tested Suricata 3.0RC3 and it works in pfSense.  The goal is to release the updated GUI along with the new Suricata 3.0RC3 binary (or whatever is current at the time).  We are also planning to provide the long-awaited inline IPS mode with Suricata 3.0 using Netmap.  I have tested it and it works.  We just need to modify the GUI a bit to provide the necessary configuration fields.  Suricata will sport two IPS/IDS modes:  (1) legacy mode using libpcap and the custom blocking plugin (what it uses today); and (2) true inline IPS mode using Netmap. Bill

Ah, very helpful.  Thank you, fragged.

Hi Bill, many thanks… Dirk

Which file are you editing?  When I directly edit the config, I use the file /conf/config.xml.  I navigate to the file using Diagnostics > Edit File.  It is living dangerously to directly edit the production file, but since mine is a home system I take the risk.  I don't know why your changes are getting overwritten.  I've never had that happen to me. I think there are some hoops to jump through if you import or copy in a new config.xml file itself from a remote source.  The contents of the file are saved in a large global memory array.  Perhaps something is triggering a "dump" of the in-memory data back to the file and thus overwriting the changes you just made. Bill

@NetDefense: OK I did some digging and figured that out. Your post now makes sense to me now that I know what emerging threats is. I did notice this post is kind of old and when I take a look at the RBN rules and it appears they are no longer updated. http://doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork The RBN list has been discontinued for awhile now… The only two free lists available from Emerging Threats (now Proofpoint) is ET Compromised and ET Block....  With the ET IQRisk suite (Paid subscription) they have an IPRep list available...

Create an extra DMZ and place the server inside of this then. Set up snort scanning on your LAN port. So the Server will have Internet connection and the rest of the LAN will be scanned by snort. WAN - NAT and pf DMZ - Snort is not scanning LAN - snort is scanning

Ok great.  THank you Bill.  I can definitely live with that!

thanks for your reply, I already tried that, but it didn´t work out, there are a number of configuration files that need to be updated, but I could not find  which ones and what to write

Did it !  :D  Great ! In effect, I only intend to set up Suricata for the moment. Thank you a lot !

I tried to put only the adresse and i have change de port from 514 to the pappetrailapp port and I have opened this port in firewall and it doesn't work. I want to try again.

Multiple instances happens sometimes when the pfSense core code sends more than one "restart packages" command in a short time interval.  This can happen, for instance, during a WAN IP update caused by DHCP (if you have that configured on the WAN side).  There are a few other triggers of the "restart packages" command. Bill

Hi guys, this topic really helped me, but in my case the solution was create two databases, one for each Barnyard instance (i have two monitored interfaces), no more "Duplicate entry" now, thanks!

Finaly i found the solution. I have create a supress list and then apply to the interface then restart snort. I have find a youtube video.

@bmeeks: You could safely disable that rule if you wish. Bear in mind that if you decide to allow HTTP traffic on 443, all the rules with $HTTP_PORTS wont be inspecting that traffic. Unless you add 443 to the $HTTP_PORTS variable, which will cause other false positive with some HTTPS inspection. In other word, the way alot of rules are made, HTTP, non encrypted traffic,  shouldnt be on 443 F.

Thanks for your reply. That makes perfect sense. Hadn't thought it through enough… Happy Holidays, John

Hi Thank you for the reply, Well…did not really understand on what you mean I been trying to follow this guide http://www.moh10ly.com/blog/pfsense/configuring-snort-on-pfsense All I would want lets say i open port 443 webgui and someone tries to access many times eventually it gets blocked that IP as it shows on the guide But i was not able to get it working. Not sure if I add all the rules? And not sure what is this unknown rule http inspect See pics Thanks you [image: Clipboarder.2015.12.25-002.png] [image: Clipboarder.2015.12.25-002.png_thumb] [image: Clipboarder.2015.12.25-003.png] [image: Clipboarder.2015.12.25-003.png_thumb] [image: Clipboarder.2015.12.25-004.png] [image: Clipboarder.2015.12.25-004.png_thumb] [image: Clipboarder.2015.12.25-005.png] [image: Clipboarder.2015.12.25-005.png_thumb] [image: Clipboarder.2015.12.25-006.png] [image: Clipboarder.2015.12.25-006.png_thumb]

Good to know! I have disabled those rules for now but I feel there is still some cleanup to do before I get snort running smoothly and not act crazy on every bit that comes & go from my LAN. Another think for people micromanaging the rules:  we can remove "Enable/Disable" changes in the current Category, remove all Enable/Disable changes in all Categories (good if you want to return to the stock ruleset), disable all rules in the current Category, enable all rules in the current Category (those two are good to enable/disable all rules quickly), but there is a missing filter to display only specific sets of rules, for example all rules that were manually disabled or enabled, all rules currently disabled or enabled, etc… and a filter to search rules by SID would be great as well... especially during a fatal error..

No problem here in the USA with Snort VRT updates.  Here is the log output from just after midnight Eastern Standard Time today – Starting rules update...  Time: 2015-12-23 01:30:01 Downloading Snort VRT rules md5 file snortrules-snapshot-2976.tar.gz.md5... Checking Snort VRT rules md5 file... There is a new set of Snort VRT rules posted. Downloading file 'snortrules-snapshot-2976.tar.gz'... Done downloading rules file. Downloading Emerging Threats Open rules md5 file emerging.rules.tar.gz.md5... Checking Emerging Threats Open rules md5 file... There is a new set of Emerging Threats Open rules posted. Downloading file 'emerging.rules.tar.gz'... Done downloading rules file. Extracting and installing Snort VRT rules... Using Snort VRT precompiled SO rules for FreeBSD-10-0 ... Installation of Snort VRT rules completed. Extracting and installing Emerging Threats Open rules... Installation of Emerging Threats Open rules completed. Copying new config and map files... Updating rules configuration for: WAN ... Updating rules configuration for: DMZ ... Updating rules configuration for: LAN ... Restarting Snort to activate the new set of rules... Snort has restarted with your new set of rules. The Rules update has finished.  Time: 2015-12-23 01:30:54 Could be (or could have been) a temporary condition. Bill