@knownPlayer: With the default rule I mean my drop any rule from my first post. Sorry if I wasn't being clear. drop ip any any <> any any (msg:"default deny"; ) Since I am experimenting with implementing a whitelist in Suricata, I allowed all traffic on all interfaces in my pfSense. This way I can focus on Suricata first. My test setup seems to be working now, though I don't know exactly why.  Might have been a system restart… Thank you for your help Bill. Oh … OK.  When I type replies the start of the thread is buried down on the bottom of the screen and I frequently forget what has been said before... :).  I thought maybe you were talking about the firewall's default deny rule since I had forgotten about the earlier discussion. Bill

Okay Bill…found it...FreeBSD Bugzilla – Bug 226289 Submitted...Bug 226289 has been successfully created.

Bill/bmeeks, that's perfect and good information - exactly along the lines of what I was thinking also. I am in a small medical installation, not home, so I do want some of this "noise" to show up, even if just for my own satisfaction of preemptive acknowledgement of blocking. To that end, I'll run the same rules as you suggest; I'm noticing the ET-CIARMY is already reasonably noisy. It would be super-cool if you could possibly find the time to update the first post of the sticky for New Users in this category, as there is a lot of information that is now outdated/superceded - new users have a rough time identifying the basics. In fact, the current pfSense tutorial/guide for Snort was the best I've found, but not many references to it within this forum. Coupling a link to that page, plus a brief overview of WAN/LAN suggestions, would be ideal - rather than reading a day's worth of scattered posts from 2013 onwards.

Thanks. I go check.

Suricata and Snort both depend on the values of the HOME_NET and EXTERNAL_NET variables being set correctly.  Many of the rules from both the VRT and Emerging Threats uses HOME_NET and EXTERNAL_NET as source and destination values for IP addresses. If the IP addresses in HOME_NET and EXTERNAL_NET are not correct, many rules will fail to trigger and fire alerts because all of the "conditions" for triggering are not met.  So first question would be have you modified any of the defaults for HOME_NET or EXTERNAL_NET?  If you are trying to monitor a VPN, it could be the IP addresses of the VPN tunnel are not getting properly placed in HOME_NET.  In that case, you would need to create a Pass List and use it as a customized HOME_NET. Bill

@afagund: Should I message the developers mail list? For me its clear we have a bug on this package. You can, but if you mention "_package on pfSens_e" or "pfSense" anywhere in your report they will just send you right back here as they will assume somehow pfSense is to blame.  The Snort package on pfSense uses the same Snort binary as is used on any other Linux/FreeBSD machine.  So just tell them you think you have a memory leak issue with Snort using the HTTP_INSPECT preprocessor with gzip encoding enabled and don't mention the platform you are running on unless they ask.  If they ask, just say "FreeBSD 11" and don't mention pfSense. I'm not trying to be coy and hide information, but just pointing out that the default response will likely be to send you right back to the pfSense forums if you mention pfSense in your bug report.  Your issue is not with the pfSense package per se, it is potentially with the Snort binary, and that binary is the same as any other FreeBSD user would be using without pfSense in the mix. Bill

Oh good grief, I didn't realize there was already custom rules section.  Nothing like reinventing the wheel.  :-[  Thanks Bill

@bmeeks: A better and more secure way to handle this type of issue is to identify which rule SID (Signature ID) is causing the block and either disable that rule entirely or suppress that alert for the impacted IP (your cloud provider's address or address space).  To identify the rule causing the block, look on the ALERTS tab for the interface and filter for the blocked IP.  See which rule SID (or it may be more than one) is causing the block.  You can suppress the alert by adding the rule SID to a suppress list that filters on source or destination IP, or you can click the "X" icon under the GID:SID column to disable that rule completely. Bill Thanks for the direction Bill.  I did exactly as you said and found the rule causing the error.  I've since suppressed it and am no longer running into issues.

Hi DaReaLDeviL, Bill Meeks has a good explanation of what Inline Mode is and its benefits over Legacy Mode here:   https://forum.pfsense.org/index.php?topic=108010.0 The biggest issue with inline mode is hardware compatibility and stability.  When running as a physical machine FreeBSD's netmap only supports a limited number of NIC chipsets.  Supported list of adapters: https://www.unix.com/man-page/freebsd/4/netmap/ But as for running it in a virtualized environment I'm not sure if pfSense's netmap supports vmware adapters.  Maybe someone has already tested and can chime in on this.  If it is supported I would think it would require you to configure SR-IOV (which your NIC does support) on your VMware Host.  If you're not in a production environment I'd say snapshot and see if it works.  Hope that helps.

Hey Sorry for the (very) late reply, stopped checking the thread. I have not resolved the issue, it still works in this counter intuitive manner. As of right now I am just letting it work with the rules suppressed and disabled. We have been working on moving to Suricata inline as a replacement, but haven't moved it from the testing stage yet. I've actually been away from the office for some time now and have to catch up on suricata dev. They were having issues with the inline mode and vlan tags. Hopefully that has been resolved.

What kind of hardware are you running?  What is the type and speed of the CPU and how much RAM? Suricata needs CPU, and the higher the packet load the more CPU it needs to keep up.  Granted with no rules enabled it should not need nearly as much, though.  Might be an issue with your NIC drivers and the Netmap module in FreeBSD.  As as been said in this forum about a thousand times, inline IPS mode uses the experimental Netmap kernel interface.  Some NICs don't work with Netmap at all, and others work in a buggy fashion.  Your NICs might be one of the latter. Put Suricata in Legacy Blocking Mode and see what the throughput is then.  This will isolate the problem down and hopefully show Netmap compatibility as the culprit. Bill

In Snort a Pass List entry should not prevent receiving an alert.  It just prevents that alert from going on to generate a block.  So you should still see alerts on the ALERTS tab.  The pass list is checked by the custom blocking plugin after it receives the alert but before it sends the IP address to the snort2c table.  If the alert's IP address is in the pass list, then the IP is not sent to the snort2c table but it should still show up on the ALERTS tab as an alert. Bill

Dale thanks for the suggestions.  After some time of testing I found: 1.  The primary problem was Snort's Preproc http was blocking most of the IP's for the speedtest, even after turning virtually all rules off.  If I would clear the blocks it would start to work again (instead of rebooting which also clears the blocks) before blocking all the IP's again.  I could not find a way to fix this except to turn off the Preproc http (which numerous posts claim will break much of Snort), or to install suppress rules to suppress the rules that were too aggressive (I didn't test the suppress method, find that too be a little cumbersome for basic functionality). 2.  The secondary problem with the upload speed being low was using the bce network driver (built in Broadcom NICs).  Apparently this driver or hardware has issues with BSD.  I switched to another NIC that used the bxe driver and the upload speed problem went away.  I'm going to try some better Intel NICs later to try and take advantage of the "Netmap" functionality. I'm testing Suricata now, finding it less cumbersome so far.

Okay, I read through the entire thread…one doesn't need to implement all those scripts as one can use the custom DNSBL Feed rules into PFBlockng...really grateful to BBcan177. I also changed firewall flowing rule to block with the quick set checked, interface: WAN, direction: any, family address: IPv4+IPv6,  protocol: TCP, source: any, destination: any, destination port range: other, then from the WebGUI to the WebGUI. I also added a second firewall flowing rule to block with the quick set checked, interface: WAN, direction: in, family address: IPv4+IPv6, protocol: TCP, source: any, destination: any, destination port range: other, then from outgoing privilege ports to outgoing privilege ports. Extremely grateful to jflsakfja as well thank you and wish you all the best.

@BMEEKS You are amazing THANK YOU!!!!

Well if you decide to test again with Snort let us know! Perhaps you were just running multiple interfaces and configured barnyard on the wrong one?

@necs-gungaro: Hello All I am suddenly have Failed Snort VRT downloads . Looks like the MD5 checksum has an error. So how do I clean that issue up so I get my VRT rules to download? I am using a Lanner router with pfSense 2.2.4 Thank You for any help in advance. What version of the Snort package are you running?  That is quite an old version of pfSense.  If you have not updated Snort since you installed that pfSense version, then the VRT rules for your Snort version may have been discontinued (depends on exactly which Snort version you have).  Snort rules are tied to specific binary versions and the VRT does continually roll older versions of rules out of support as they roll in newer versions. Bill

+1. I too encountered the "manual remove" messages and I never touched the automated installation. I do not recall whether I had the fatal error. Snort seems to work just fine but I may follow the instruction to remove and reinstall for good measure.

Hi, I found I have the same problem. I wasn't sure but today internet suddenly stopped when I was online and I found PPPoE is down because WAN IP changed. What happened is: Snort detected new IP connected to website IP I was browsing 5 minutes ago as "port sweep"  and effectively blocked my new WAN IP together with all internet taking down VoiP and Internet radio tuner. I like to know how to mitigate such problem correctly because next time it can be other false positive or rule trigger same outage. Is any rule can be added to whitelist WAN IP as alias? Thanks