Thanks Bill, already updated the package. I'll test and let you know.

Going to need a lot more information than you provided. What versions of Snort and pfSense are you running? Have you checked the ALERTS tab to see if alerts are being logged related to the traffic that is not working? Do you have the blocking mode of Snort enabled?  If so, it's not a good idea to turn that on until you become very familar with the alerts generated by Snort on your network traffic. That gives you a chance to determine if the alerts are "false positives".  False positives need to be either suppressed via a Suppress List entry or the applicable rule signature disabled. Bill

suricata 3.1.2 is now available on pfSense 2.3.2.

suricata 3.1.2 is now available on pfSense 2.3.2

I've found the cause of this error.  It is due to a change the Suricata team made upstream that changed how the TLS certificate storage directory was specified in the suricata.yaml file.  The fix will be in the next Suricata GUI package update. Bill

^^ that spawned a possible good idea - for the pfsense dev's, setting the minute number randomly, on first install, would help for the future.  You should expect to see a higher server load as more people use pfsense.

Yeah, to be clear this is absolutely wrong place to post. Noone here maintains the snort.org webservers so noone here can fix broken checksums they keep uploading over and over and over again. If you have a paid subscription, complain to the Snort guys, if you have none, then you get what you paid for and simply wait till someone fixes it.

It helped me.  Thanks!

@userjanuary2017: Oh wow, great news on pfsense reinstalling my packages automatically, thank you Bill, I really appreciate your help very much! As I said, I'm not 100% sure on that point, but I believe it used to do that.  If you have pfSense paid support, they can verify that point for you in case I am mistaken. Bill

@tiki1980: @bmeeks: I have abandoned the use of Barnyard2 on my personal firewall due to problems with it.  I wish it was more dependable, but the constant problems finally wore out my patience.  I was using it with Snorby. Bill Not really ontopic but what do u use as a frontend? I looked at www.aanval.com which has it's own proprietary shipping mechanism of the unified2 logs but this only allows for one sensor (really one interface) Since it is just my home network firewall, I am not currently sending the log data anywhere.  I just periodically review stuff directly on the firewall.  I have not investigated using anything else since I dropped Snorby. Bill

@pfcode: @bmeeks: As for the HTTP_INSPECT rules in Snort, I say this with some tongue-in-cheek – they will alert on pretty much any HTPP packet these days and have become darn near worthless becaue of that IMHO.  I have disabled the majority of those rules in my system. Bill Are you talking about LAN preprocs->Http Inspect?? Any of them to be honest.  A lot of them misfire (as in generate false positives and thus false blocks).  I know some of the rules might be OK, but many are either out of date or else a ton of legitimate web sites are sending out vastly screwed up HTTP traffic.  I just know that if you enable all those HTTP_INSPECT preprocessor rules you will immediately start to get alerts and subsequent blocks on a large number of mainstream and legit web sites. Bill

@dhboyd26: Thanks for the reply.  I should have thought about that possibility as much as I have been bamboozled by UNIX to DOS files before.  The lists were put in by hand in the GUI, so all is well. but for future reference (hopefully never) I will definitely check that. On a completely unrelated topic, since you are the maintainer of the package, I wanted to let you know that we now have Suricata running inline after a hardware change from Intel X710 adapters to Intel X520 adapters.  Been working like a champ!  Thanks for your work maintaining this package. Good to hear.  Netmap support is still not 100% in all the NIC drivers yet, but maybe someday we will get there. Bill

@bmeeks: If you uninstalled the package with the "Save Settings" checkbox unchecked, then all remnants of Snort were removed from your config.xml file which the firewall uses to store all of your configuration information.  So if you re-install the pacakge, it should behave as a 100% fresh install with no pre-existing configuration settings brought over. Bill Great. So i uninstalled the package and reinstalled it, didnt help. Installed suricate and it worked out of the box. So I made a passlist and used that for external_net in snort instead, and it worked. But now the "!" infront of the IPs are gone, exactly like the home_net. In other words it says that my external_net is home_net now , but it worked somehow. But when i added rules it stopped working again. So i tried to find out exactly why it stops working and i have somewhat narrowed it down to the "emerging" rules, when i add one of them, snort stops working. I have no idea whats going on anymore :P

Not surprising.  The latest 3.0_12 package just has two minor bug fixes within the GUI itself.  The underlying Suricata binary is unchanged and remains at 3.1.2. Netmap support will make it into more and more NIC drivers, but it will take a little time. Bill

wow bmeeks is back  now i forgot my issue that bmeeks can answer.

It happens to me as well. I just use service watchdog package to keep the service on automated restart in case it stops after the nightly updates.

Re-posted my comments to a new post as this one is about Snort. My bad…

Morning, any update on that package? As BBcan177 noted with his link above, I am creating a logstash-forwarder package for submittal to the pfSense Team.  If they approve, then you can use the new package to send Suricata and other firewall logs to an ELK (Elasticsearch Logstash Kibana) setup. Thanks,