ok. thx for your support. I will follow your advice!

@bbrendon: If you have your sid mgmt set to enable,disable; then you should be able to add to your disablesid.conf: pcre:protocol-command-decode I'm not sure if you need to escape the '-' but it should work. Thanks @bbrendon for the regex example.  It should work.  I, too, am not sure about the need for escaping the dash.  The OP can check the results of the regex by looking at the list of active rules for the interface.  The active rules will be found in the interface subdirectory inside a sub-directory called rules in a file called suricata.rules (or snort.rules for Snort).  The path is like so for Suricata (Snort is the same, just replace "suricata" with "snort" in the path): /usr/local/etc/suricata/suricata_xxxyyyyyy/rules where xxx will be the physical interface name and yyyyyy will be a random GUID number. You can open the rules files you find there to see the actual enabled runtime rules for the interface. Bill

Hi, I haven't tried it yet. Bmeeks pointed out in this topic that you should create a custom pass rule for your whitelisted IP addresses because in Inline mode passlist isn't working. Check this topic: https://forum.pfsense.org/index.php?topic=135331.0 Pass rule example: pass ip 1.2.3.4 any <> any any (msg:"pass all traffic from/to 1.2.3.4"; sid:1000001;) Rule wiki: https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricata_Rules

I think I will bump up the defaults for Stream and Reassembly Memcap values in a future release. Bill

You can manually add the required values to the YAML configuration template file.  Note that this will have to be repeated each time you update the Suricata package as the template file is always overwritten with a new update (like when you install a package update from the Package Manager). Find this file and open it in an editor of choice: /usr/local/pkg/suricata/suricata_yaml_template.inc Near the bottom of the file you will find this section of code: # Holds variables that would be used by the engine. vars:   # Holds the address group vars that would be passed in a Signature.   address-groups:     HOME_NET: "[{$home_net}]"     EXTERNAL_NET: "{$external_net}"     {$addr_vars}   # Holds the port group vars that would be passed in a Signature.   port-groups:     {$port_vars} Be very careful not to disturb any existing lines of text (code)!  Add a new line for your SIP_SERVERS as shown below: # Holds variables that would be used by the engine. vars:   # Holds the address group vars that would be passed in a Signature.   address-groups:     HOME_NET: "[{$home_net}]"     EXTERNAL_NET: "{$external_net}"     {$addr_vars}     SIP_SERVERS ["what ever IP addresses or networks are appropriate for your setup"]   # Holds the port group vars that would be passed in a Signature.   port-groups:     {$port_vars} The information in the template file is used to build the suricata.yaml configuration file for each configured interface.  Be very careful when editing and don't change any of the other lines.  That includes spaces or tab indents!  Suricata is very finicky!  You will just be adding this one line in the place shown above. SIP_SERVERS ["some IP addresses or networks"] I will put the inclusion of the SIP_SERVERS variable on my TODO list for a future update so that it is available within the GUI. EDIT:  Forgot to say that after making the changes in the template file above, you will need to go to the INTERFACE SETTINGS tab and "edit" the interface so you can do a Save operation.  Clicking the Save button will cause the suricata.yaml file for the interface to be regenerated using the newly modified template. Bill

It may not be blocking due to the automatic Pass List generated in Legacy Mode.  Check the IP addresses in the Pass List by clicking the View button next to the Pass List drop-down selector on the INTERFACE SETTINGS tab.  Any address in that list will never be blocked (but will still generate an alert).  You can create a customized Pass List and remove addresses that you want to get blocked, but be careful if this is new territory for you.  You can easily lock yourself out. In general the default settings for a Pass List work for the majority of uses. Bill

@strangegopher: @bmeeks: I don't recall off the top of my head, but there is a forumula that uses the number of cores and memory to compute optimal stream memory settings.  I think some adjustments to that area of the binary also happened between the 3.2.x and 4.0.0 versions of the code, so that might account for the fact of not having that exact error using 3.2.x. Bill Seems like I am now (after fixing other issues) having the same issue as op. my supermicro a1sri-2758f has 8 cores and no threads, its non-standard core count I guess. Might explain the buggy multi threading  issues I am experiencing. See my reply in the other thread you linked.  You need to at least double the Stream Mem Cap setting, and possible increase it even more. Bill

@pfsense_user12123: I figured out that INLINE MODE causes the Problem. In Legacy Mode everything works great. So the Main Problem in the configuration file was the inline Mode which made the Router freeze. Not surprising.  Lots of NIC hardware has problems with Inline Mode due to the Netmap dependency.  It is still a buggy interface in all of the following:  (1) NIC drivers, (2) FreeBSD and (3) to some degree Suricata upstream. Bill

@chudak: Thx for the answer. The only interesting question remains - why this rule problem was unmasked by a snort version upgrade? It wasn't.  I've never seen that error in any of my test virtual machines nor in my personal firewall, and I've upgraded along with every version release.  It is likely a product of the particular rule sets you have enabled.  To be specific, the error is caused by not having the Sensitive Data preprocessor enabled while having an enabled rule that contains a sensitive-date preprocessor keyword (that "sd_pattern" keyword). Does Snort now not run at all, or did it just fail to automatically restart following the initial update? If you can, open the referenced file in the error message using the vi editor and go to line 424.  Paste the entire contents of that line back here so I can examine the failing rule. Bill

An update to my previous reply above.  I assumed initially the OP had turned on blocking mode, but the OP has this post in another sub-forum here on the board: https://forum.pfsense.org/index.php?topic=136442.msg746548#msg746548 In that post it is stated that "BLOCKING" and "BARNYARD2" both show as Disabled on the SNORT INTERFACES tab.  That would be why you are getting alerts and no blocking.  Snort does not block by default.  It is an IDS when using the defaults.  You must go to the INTERFACE SETTINGS tab by clicking the edit icon beside the interface.  On the INTERFACE SETTINGS tab, click the checkbox for Block Offenders in order to turn on IPS or blocking mode.  Save the change and then restart Snort on the interface.  You restart it back on the INTERFACES tab using the icon there. You will also need to weed out potential false positives. Bill

@bmeeks: What blocking mode are you using with Suricata when you enable blocking?  Is it Inline IPS Mode perhaps?  If so, my first theory is you have a compatibility issue with your NIC driver and Netmap.  Netmap is extraordinarily picky about having perfect support from the NIC hardware driver.  The fact your error messages from the kernel mention "netmap" is the clue I'm working from. If your NIC driver and Netmap do not play well together (and more NICs don't play well than do play well), then weird stuff begins to happen all the way up to a kernel crash. So if I'm right and you are attempting to use Inline IPS Mode, switch over to Legacy Mode blocking instead and let it run for a while to see if the problem repeats. Bill Hi thanks for the reply and advice I think you are onto something yes I'm using 'Inline IPS Mode' I've experimented with Promiscuous Mode on/off with little to no effect my hardware is a PC Engines APU2 with Intel i210AT NICs I do recall making some changes when I had Snort over Suricata to System/Advanced/Networking I have noticed that the following things are disabled Hardware Checksum Offloading Disabled Hardware TCP Segmentation Offloading Disabled Hardware Large Receive Offloading Disabled I'll experiment with legacy and see how it does I was hoping to use it if possible but perhaps its not going to play nice with my hardware config

@bmeeks It seems to be fine after 5 days. Appreciate for your help, Bill :)

Fair point, and to put it into perspective, I had restored the configuration from an xml file. Maybe that's it. Thanks for your help

Taking another look at this. Sorry if my questions are overly pedantic. I just don't want to break my system. I have attached the snort log facility options and the tabs in status / system logs / system / general from my system. Presumably they are the same as any other system. Here is unedited syslog.conf. I can see a rough correspondence between syslog.conf and the tabs. !radvd,routed,olsrd,zebra,ospfd,bgpd,miniupnpd *.* %/var/log/routing.log !ntp,ntpd,ntpdate *.* %/var/log/ntpd.log !ppp *.* %/var/log/ppp.log !poes *.* %/var/log/poes.log !l2tps *.* %/var/log/l2tps.log !charon,ipsec_starter *.* %/var/log/ipsec.log !openvpn *.* %/var/log/openvpn.log !dpinger *.* %/var/log/gateways.log !dnsmasq,named,filterdns,unbound *.* %/var/log/resolver.log !dhcpd,dhcrelay,dhclient,dhcp6c,dhcpleases,dhcpleases6 *.* %/var/log/dhcpd.log !relayd *.* %/var/log/relayd.log !hostapd *.* %/var/log/wireless.log !filterlog *.* %/var/log/filter.log !-ntp,ntpd,ntpdate,charon,ipsec_starter,openvpn,poes,l2tps,relayd,hostapd,dnsmasq,named,filterdns,unbound,dhcpd,dhcrelay,dhclient,dhcp6c,dpinger,radvd,routed,olsrd,zebra,ospfd,bgpd,miniupnpd,filterlog local3.* %/var/log/vpn.log local4.* %/var/log/portalauth.log local5.* %/var/log/nginx.log local7.* %/var/log/dhcpd.log *.notice;kern.debug;lpr.info;mail.crit;daemon.none;news.err;local0.none;local3.none;local4.none;local7.none;security.*;auth.info;authpriv.info;daemon.info %/var/log/system.log auth.info;authpriv.info |exec /usr/local/sbin/sshlockout_pf 15 *.emerg * Looking at the "local" subsection: local3.* %/var/log/vpn.log local4.* %/var/log/portalauth.log local5.* %/var/log/nginx.log local7.* %/var/log/dhcpd.log *.notice;kern.debug;lpr.info;mail.crit;daemon.none;news.err;local0.none;local3.none;local4.none;local7.none;security.*;auth.info;authpriv.info;daemon.info %/var/log/system.log ```I see that local3-7 are used. What is the significance of the entries "local0.none;local3.none;local4.none;local7.none" in the line for %/var/log/system.log? Are they there only in case a specific log file is not specified above? Why are there not entries for local1.none, local2.none, local5.none and local6.none? If I understand you correctly, to use the facility LOG_LOCAL2 for snort, I would make this change: local2.* %/var/log/snort.log If I do this, where will I see the log entries? Thank you very much.    

I assume that after you assigned the Pass List to the interface on the INTERFACE SETTINGS tab and saved that change that you also restarted Snort.  If not, then you must do that.  Pass Lists are only parsed and evaluated when Snort starts up.  So any changes made during a Snort run are not seen until the next time the service is restarted. I have tested this multiple times in my VM testing environment and pass lists always worked for me.  I have a Kali Linux machine I use to scan and otherwise "harrass" my pfSense virtual machines with Snort installed.  Snort will always block the Kali machine when it's not in a Pass List, and not block it when the Kali machine IP is in the Pass List. Bill

This has happened a handful of times to a few users.  I guess I need to add a manual "fix-it" button to the code.  The GUI code stores the name of the suppress list in the tag I provided, but the actual list contents are stored in a different set of tags.  So what happened in your case is the contents were missing in the other set of tags.  You can have multiple suppress lists defined, but of course a given interface can only use one at the time.  So the _<suppresslistname></suppresslistname>_tag is used to store which suppress list contents to use for the interface from that other tag's list of suppress list contents.  The tag for your WAN was pointing to a contents list that was not actually present in that other section. Bill

I fixed it by doing both of these suggested fixes : 1. "Remove the leading spaces from the line containing "{$http_hosts_default_policy}" and save the change. " 2. "I have run into the same problem, made a quick fix to my installation by editing /usr/local/pkg/suricata/suricata_generate_yaml.php and removing the whitespace before personality: IDS." After that I reinstalled the package and it works. Great job!