Additional steps I've taken… I found where the settings are retained in this post: https://forum.pfsense.org/index.php?topic=80365.msg438860#msg438860 I uninstalled, removed all settings, and reinstalled.  Finally, a fresh install.  However still no luck. I enabled detailed startup logging, and I'm starting to see something.  On every boot attempt and on every interface refresh, I'm noticing it dies in the same place - while parsing "file-executable.so".  Here's the last couple of lines from the log: Mar 25 22:26:01 snort 30401 PortVar 'DCERPC_NCACN_IP_LONG' defined : Mar 25 22:26:01 snort 30401 [ 135 139 445 593 1024:65535 ] Mar 25 22:26:01 snort 30401 PortVar 'DCERPC_NCACN_UDP_LONG' defined : Mar 25 22:26:01 snort 30401 [ 135 1024:65535 ] Mar 25 22:26:01 snort 30401 PortVar 'DCERPC_NCACN_UDP_SHORT' defined : Mar 25 22:26:01 snort 30401 [ 135 593 1024:65535 ] Mar 25 22:26:01 snort 30401 PortVar 'DCERPC_NCACN_TCP' defined : Mar 25 22:26:01 snort 30401 [ 2103 2105 2107 ] Mar 25 22:26:01 snort 30401 PortVar 'DCERPC_BRIGHTSTORE' defined : Mar 25 22:26:01 snort 30401 [ 6503:6504 ] Mar 25 22:26:01 snort 30401 PortVar 'DNP3_PORTS' defined : Mar 25 22:26:01 snort 30401 [ 20000 ] Mar 25 22:26:01 snort 30401 PortVar 'MODBUS_PORTS' defined : Mar 25 22:26:01 snort 30401 [ 502 ] Mar 25 22:26:01 snort 30401 PortVar 'GTP_PORTS' defined : Mar 25 22:26:01 snort 30401 [ 2123 2152 3386 ] Mar 25 22:26:01 snort 30401 Detection: Mar 25 22:26:01 snort 30401 Search-Method = AC-BNFA-Q Mar 25 22:26:01 snort 30401 Maximum pattern length = 20 Mar 25 22:26:01 snort 30401 Search-Method-Optimizations = enabled Mar 25 22:26:01 snort 30401 Found pid path directive (/var/run) Mar 25 22:26:01 snort 30401 Tagged Packet Limit: 256 Mar 25 22:26:01 snort 30401 Loading all dynamic engine libs from /usr/local/lib/snort_dynamicengine... Mar 25 22:26:01 snort 30401 Loading dynamic engine /usr/local/lib/snort_dynamicengine/libsf_engine.so... Mar 25 22:26:01 snort 30401 done Mar 25 22:26:01 snort 30401 Finished Loading all dynamic engine libs from /usr/local/lib/snort_dynamicengine Mar 25 22:26:01 snort 30401 Loading all dynamic detection libs from /usr/local/lib/snort_dynamicrules... Mar 25 22:26:01 snort 30401 Loading dynamic detection library /usr/local/lib/snort_dynamicrules/browser-ie.so... Mar 25 22:26:01 snort 30401 done Mar 25 22:26:01 snort 30401 Loading dynamic detection library /usr/local/lib/snort_dynamicrules/file-executable.so... The plot thickens. I went into the directory in the shell, moved file-executable.so out of the directory, and now my WAN interface comes up.  Though I'm sure it will choke on the next rules update. Thoughts?

@jeffh: Barnyard is not required and I may be wrong, but I believe will require a separate Barnyard server. If you are new to Snort or Suricata I would recommend picking one, and working on understanding the way it functions before looking into Barnyard. Thank you both, I see that barnyard2 is a dependency for snort and suricata. Is this to enhance performance from another process?

As far as I can tell it's just for visibility.  I don't think I've seen it change.

The only way I can think to do what you're asking would be to put the malware sandbox on a different interface, and not run Snort on that interface. This could have other security benefits as well to keep the malware away from any other systems.

I hear you dok. I read in other places your distaste for Snort halting upon hitting a broken rule and saw that in the code it coughed up at me. I am partly guilty here too because after the reinstall merely deleting the interface, reinstalling the interface and redownloading the rules seemed to remedy the issue I was having. Thanks dok for looking it over and thanks to everyone for your work on pfSense, packages, and your help in these forums.

If you're using one of the pre-defined IPS Policy settings (Connectivity, Balanced or Security), then the Snort rules are automatically selected. If you also add OpenAppID and ET rules, then you can select those rules, as they are not part of the pre-defined Snort IPS policies. Here's a post from the Snort blog about how rules are put into each of the pre-defined policies. CVSS score, time, and certain policy groups play a factor in those pre-defined policies.

Yep, I thought that as well thanks mind12 :) Implemented this now.

Thanks for the reply, so what im trying to accomplish is to use snort to only listen to the VIP ip but it seems that snort only listens to interfaces rather then IPs, as the VIP is connected to WAN it makes things a tad bit harder, currently what i have is 5 Static IP which my lSP gives one of those IPs is the VIP ip which is open to the world such as email server ports, FTP, website ports, etc. and one of those IPs is the WAN which all users navigate with. The issue on running snort on the WAN it gives way to many false alert, i know that there is a suppress list which i tried but it just a pain, or unless i run the rules of smtp,imap,pop, and ftp but then if i want to run rules of HTTP its going to be a hassle with the users. Thank you [image: Clipboarder.2017.03.16.png] [image: Clipboarder.2017.03.16.png_thumb] [image: Clipboarder.2017.03.16-002.png] [image: Clipboarder.2017.03.16-002.png_thumb]

Not exactly sure what's the question here, obviously depends on the interface. If you have FPs, disable the offending rules.

Thank you

I have a HP NC365T quad nic and seems to run (wan only)  in-line Suricata 3.1.2 on pfSense 2.3.3_1 fine. When I was running speedtest, I did get an Suricata alert "SURICATA STREAM excessive".

Doktornotor, yes, I'm using my snort as you said it, in in-line mode, like the bridge between two network segments (between my ISP router and my main firewall). Now, would you tell me if this way, setting my wan ip on passlists, would not open some security hole in my network? I think it might not block some kind of threat, I do not know. If you do not see problem I will leave it configured this way, with ip of wan added in the passlist.

Thanks a lot, pfBasic. It really opened my eyes on that point. I'll analyze the logs for a while before applying lock.

I actually just happened to post a thread on how to keep your snort2c table persistent. When you updated you had to reboot, anytime you reboot your blocked hosts lists will be flushed. Just follow the instructions here and you can keep your lists! It's actually really easy. https://forum.pfsense.org/index.php?topic=126997.0