@fsansfil: With everything going HTTPS these days a Bluecoat or squid with i-cap and sslbump is better for web filtering than an IPS. You might be better suited with a proxy. "So i am NOT complaining!" No harm, no offense; Its just me after working 12hrs in a row, doing suricata rules ;) F. I have the i-cap/clam anti-virus enabled in my squid3 config

2.1.5 is dead. Move on. No fixes will ever appear there.

As noted above - try without sync. (Hopefully gone everywhere again with 2.2.4.)

Disable the broken rule. And while at it, disable 1:2015526, same idiocy.

Using the ADVANCED PASS-THROUGH option would be the mechanism for using that config directive.  You will find that on the INTERFACE SETTINGS tab for the specific interface. Bill

Swapping cables would be one thing to try.  It is possible that the libpcap library and the USB NIC don't play well together. Bill

Well, the way to mass-disable rules is called SIG Mgmt.

Someone's pinging you… Some rules categories are just horrible idea to enable; icmp_info definitely among them.

Okey dokey, thanks for the clarification :)

If your still having this problem edit your snort interface and check under your "WAN preprocs" that you don't have Application ID Detection enabled. Mine seems to have been enabled with the last update and just realised now.

pfSense 2.1.* is no longer supported so you are running a really old version of Snort. Upgrade your pfSense and try again with the latest version of the package.

If you want to see internal LAN IPs before NAT, you need to run on LAN as well.

Hmmm, WTF… There's something badly rotten with UFS.

@doktornotor: Excellents, thanks! Going to do the same for suricata as well? Yeah, I will port the same fixes/features in Snort over to Suricata.  The Suricata GUI code was cloned from Snort's anyway, so they share a ton of functions with identical code. Bill

Scratch my earlier reply.  I forgot how my own code works …  :-[ The Widget code first verifies an alert log file exists for the interface, then it tails the configured number of entries from it and writes those "tailed" entries to a temp file in the [b]/tmp directory.  The code then verifies the temp file exists in /tmp and then opens it for reading.  The opening for reading is failing in your case, but the error says it's failing because the file does not exist.  However, before the open is attempted, a call is made to verify the file exists, so I really don't know what is going on in your case. I can add another layer of error-checking to the Widget code and will do so in the next update. Bill

Snort puts monitored interfaces into promiscuous mode.  This could, I suppose, generate a few more NIC interrupts as the card will be processing all packets instead of just packets sent to its MAC address. Bill

The entire tarball is not saved (it is downloaded to and extracted in a folder under /tmp and then deleted).  However, the individual rules files (category files) extracted from the raw tarball are save here on the firewall:  /usr/pbi/snort-amd64/etc/snort/rules.  Change the amd64 to i386 if you have a 32-bit install. Bill

Thanks for the AC-BNFA-NQ this seems to help us here as well. I want to contribute something I observed and can reproduce: Situation HW (old PC) based pfSense in a branch office Win 2012 R2 U1 based pfSense in our DC Snort HW based is running stable with AC-NQ even though it has only 2 Cores and 8GB memory at all Hyper-V based is running on 12 Cores and 16GB memory, but Snort failed with AC-NQ, the AC-BNFA-NQ does the trick, now it can be not only activated (about 2minutes) faster on all interfaces, instead of one only, it now can be activated on all interfaces and it is running stable now for 3d, usually it turned itself off every 2h to 6h. A strange side effect on IPSec stability?  :o We reported https://redmine.pfsense.org/issues/4790 (Titel: Established IPSec Tunnel refused transporting further traffic out of sudden.. it than refuses any rule based traffic to anywhere!). Even though it should be impossible from my point of view, we observed that since the only configuration change on both tunnel ends is the Snort thing it seems to be an obvious side effect. This seems to be fixed now as well - and I find this is 'a bit' disturbing..