This has been solved. I had to remove the package lock file via the GUI and then hit the reinstall package button. This then completed the snort install but omitted all other packages. So I restored the config file one more time via the GUI. Upon reboot, the remaining packages were installed. All good but not straight forward.

thank  you for information but i'm finish to follow step bu step. Is there any alternative to block attacker like port scanning ?

I still stand by my theory that an Alias is not getting resolved to its actual IP address on the box with the error message.  The GUI code uses pfSense system calls to convert alias names to their actual IP addresses.  The actual IP addresses are then written into the pass list file when it is created.  The same thing happens for interfaces, DNS servers and the other parameters listed on the Pass List edit page.  They all get resolved to actual IP addresses with masks and are then written to the Pass List file Snort or Suricata uses. If for any reason an Alias, an interface, a DNS server or a gateway returns an empty address, then that empty address shows up in the file and generates the error.  You can open and view the actual Pass List text file being used by the interface.  Navigate to /usr/local/etc/snort/snort_xxxxx/ and open the pass list file in the directory.  The "_xxxxx" term will be your physical interface name along with a GUID random number.  You can browse to the file using DIAGNOSTICS > EDIT from the pfSense menu. Bill

Thanks Bill.

Hi Bill, How right you were. Just updated without a problem. Thank you very much for taking the time to get back to me. Kind regards John

You don't need a specific rule, but you must input the MAC/IP pairs for all hosts you want to monitor in the table under the ARP Spoof Detection section of the PREPROCESSORS tab for the interface.  Be advised this option can be quite a log spammer and is not good at detecting many types of ARP attacks.  In short, it's a feature that sounds better than it really works in practice.  That's my humble opinion.  I added the configuration to the GUI because some users wanted to implement it. Bill

@ecfx: I know about the snort rules on suricata and that was not a problem on suricata 3.2.2, the same rules were ignored and suricata still worked. The real problem it is the crash that now latest suricata version 4.0.0 cause it. To bad the previous suricata version has gone from  pfSense repo and we can't go back. In this case upgrade to suricata latest version was a mistake. Found this bug report on the Suricata Redmine site:  https://redmine.openinfosecfoundation.org/issues/2251#change-8823.  You can follow the progress there.  The pfSense package uses the Suricata binary from upstream.  The only thing the GUI package really does is just create the suricata.yaml text configuration file and then display some data from logs.  So any issues in the underlying upstream binary will also exist in the pfSense package. Bill

@ucok28: so how to make snort can block ? See my reply to you in this thread:  https://forum.pfsense.org/index.php?topic=139028.msg760114#msg760114 Bill

Yep, that was it. Now that my system disks are SSD, I really don't need the RAMDISK feature anymore. I am turning it off. Thanks again.

No, the blocks are stored in a pf table called snort2c.  That table is created by the pfSense code at startup and maintained in RAM.  On a reboot, it is dumped and recreated fresh but empty.  Persisting blocks has not real benefit anyway.  If Snort blocked the traffic once, it will block it the next time it sees it.  So why persist across reboots and add all that complexity to the code? Bill

Thanks. I was able to fix this by setting the Pass List option to none. Inline mode was not working with my NICs until the latest update so I think the Pass List setting carried over when I made the switch from legacy to inline.

Is there an overfew of supported networkcards for inline mode? Using 2.4.x and FreeBSD 11, is there anything different to the old version 2.3.x?

@doktornotor: @bmeeks: Those files are saved in /var/db/suricata/sidmods.  Those files are not automatically saved during a config backup/restore operation. Is there any reason why's this not saved base64-encoded in config.xml? It's annoying, the disablesid.conf is pretty important piece of configuration to avoid tons of FPs. Well, I was leery of making the config.xml too large by including what could potentially be a lot of text.  The ideal solution would be an API within pfSense itself where packages could register files to be included in automatic config backups.  Other packages store large text files locally as well (pfBlockerNG does, I think). Bill

Was going to suggest something like that, but I wasn't sure if custom rules over write normal rules. I use a custom rule to record when people are accessing my sftp server sat in my DMZ. Alert on SSH alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORTS     (msg: "SSH Detected";flow:established, to_server;     content:"SSH-";sid:1000001;rev:1;classtype:not-suspicious)

Ok, I know this is an older post but wanted to update that ET Pro is now $750/year. Total sticker shock on that one and out of reach for home and most small business users. So if you combine that with Snort VRT for a small business, you are over $1000/year. Can't sell that to any of my clients.

@Georget27: Should we create HOME_NET and EXTERNAL_NET under Firewall - Alias or is there another place to defining aliases just for Suricata please ? I was looking for this :) You will create  an alias under Firewall - Alias, and then assign the alias to a Pass List you can generate on the PASS LIST tab.  Uncheck all the default-checked options for the Pass List and then choose your HOME_NET alias down at the bottom.  You can name the Pass List whatever you wish, but suggest including "HomeNet" in the name. Now go to the INTERFACE SETTINGS tab for the interface and in the section for defining HOME_NET select the recently created Alias from the drop-down and then save. Bill

I also am using supported hardware and get quite a few of these bad pkt errors as well. I think I am going back to legacy mode for now. It is better than it was a year ago when inline really bugged things up. I will go back to it in the future. Real shame since legacy doesn't stop everything you want.

Thankyou ! :-)

You need to run u2boat to convert them to a wireshark pcap format :- u2boat snort_51260_igb0_vlan2.u2.1507590514 pcap.cap You can view them via :- u2spewfoo snort_51260_igb0_vlan2.u2.1507590514 The directories will start snort_IF-NAME*