just switch to suricata.

You will have to disable the rule if you can't pin down the IP range.  There is no capability for dynamic DNS lookup with either Snort or Suricata.  So you can't use a DNS name in a passlist alias.  This is due to the enormous overhead DNS lookups would add to packet processing.  The thread would hang waiting for the DNS lookup to complete. Bill

As indicated in the topic you referenced: <qoute>Ah, my bad! The lack of a separator there as opposed to the ones above it is a bit confusing Thank you for your time and effort.</qoute>

HAProxy works just fine here with suricata, cannot see why it wouldn't work with Snort either.

Thanks for the quick reply! If there is one on this forum, can you point me in the direction of a write up on where to add the custom Suricata rules in pfSense? Is it as simple as something like this (attached)? or do I need to figure how to make a separate rules list (attached)? EDIT Found this post and got what I needed. https://forum.pfsense.org/index.php?topic=91438.0 Thanks again bcan! [image: Capture.JPG] [image: Capture.JPG_thumb] [image: Capture2.JPG] [image: Capture2.JPG_thumb]

An IDS/IPS assumes that all applications (and thus software developers) follow all the standards for networking, so when the IDS/IPS sees something that looks amiss it will alert on it.  Unfortunately that assumption about all applications (and developers) solidly adhering to all published networking standards is a pipe dream… ;) The downside for IT Security Admins is we get flooded with spurious alerts that we have to spend time investigating.  The STREAM alerts are about as worthless in Suricata as the HTTP_INSPECT alerts in Snort.  What I mean by that blanket statement is there are so many false positives from both of those that they are both nearly worthless.  Most IT Security Admins will disable the majority, if not all, of these rules. Bill

Solved. The ET POLICY rules are in the Resolve Flowbits automatic rules. However, you can't view the rules in the Suricata Interface LANRules: decoder-events.rules page. You have to view them on the Suricata IDS / Interface LAN - Categories page.

Cool, thanks! I'm using 2.4, so it might be something going on there?

@jeffh is correct.  Snort can only block when block offenders is enabled.  This is because the custom plugin that does blocking simply uses every alert to generate a block.  So any alert that is fired will result in a block of the offending host or hosts when "block offenders" is enabled.  Which host is blocked (source, destination or both) is configurable in the GUI.  Of course alerts that are suppressed, or rules that are disabled, will not generate corresponding blocks.  Right now the plumbing used internally in Snort does not lend itself well to inline IPS mode on pfSense.  That may change in the future. Suricata leverages the somewhat new Netmap functionality introduced in FreeBSD (in version 9 I think, but I'm not sure off the top of my head) to provide a true inline IPS mode that honors "alert", "drop", "reject" or "pass" as rule actions.  Netmap allows very high speed pipes to be established between the NIC driver and user-land software (in this case, Suricata).  However (and it's a big "however"), Netmap is only fully supported by a tiny handful of NIC drivers on FreeBSD.  Some drivers sort of support it but are still quite buggy.  Also, in pfSense, Netmap is currently incompatible with the traffic shaper and VLANs.  So if you have a traffic shaper enabled or use VLANs, then Netmap will kill connectivity on any interface it is enabled on.  This in turn means Suricata can't work with inline mode on such an interface. Bill

Snort does this automatically via a cron job.  The update check interval is configurable within the GUI. You can run this file to manually update if you want to do it outside of the cron process.  Not sure why you would need to do this, though. /usr/local/pkg/snort/snort_check_for_rule_updates.php Bill

AC-BNFA or AC-BNFA-NQ. There are several discussion on why this should be the recommended setting, which you can google or search it.

Dont want to dig this up again but i have posted on a few times about VIP for snort or suricata, Have not heard any updates since but would it be possible to only monitor the VIP? Thank you

Something you might be interested in while learning pfSense and specifically IPS is pfMonitor. Check it out in the link. It is in Beta now, the developer is rolling out features rapidly. It lets you compare your firewall hits to other firewalls, gives notes and articles about new attacks and IP's and categorizes IP's so that you can figure out which attackers are serious or true attacks and which are just false positives. For example, this IP has over 1000 hits on my firewall, but none on any of the other firewalls in the program, which seems kind of strange to me, but probably is because I use a few custom rules that caught the IP (which it sounds like is a FP). It summarized all of the ports, and how many times that IP has hit my firewall when I searched it. It really has a ton of great data in it. I'll be writing up a review and a quick youtube video on it after I've had a chance to use it for a while and figure out all of its uses. https://forum.pfsense.org/index.php?topic=120972.0

In additoin to scp, you can download the PCAPs via the webgui Services->Snort->Alerts, Alert Log Actions: Download But if the alert file gets too big it can cause the php process to crash and you may have to resort back to scp.

@doktornotor: The thing you are probably missing is that you should NOT select any of the pre-defined policies for interface if you want to select individual categories. (IOW, untick the Use IPS Policy checkbox above). Thank you! That was it.

Anyone?

can be closed. problem was solved by increasing the Flow Memory Cap and Stream Memory Cap to 128MB

Consider to manual you should use it in such way ignore_scanned { Snort IP List } Snort IP List you can create by this guide https://doc.pfsense.org/index.php/Snort_ip_list_mgmt