I think the issue is their servers. I am from Hong Kong and I have the exact error, when I try to go to www.ifs.edu.br, it displayed a firewall message saying it has a Geo-IP Block of Hong Kong. When i try to go to the website again using a VPN in the US, it display the website just fine. anyway work around this? its definitely a GEO block. anyway to contact them? or maybe if someone knows the url? I can download the rules on a public server add a DNS override and on the firewall

Follow the instructions I give here:  https://forum.pfsense.org/index.php?topic=127764.msg731895#msg731895 to remove Snort, clean up the older shared-object libraries and reinstall Snort. Bill

@Khampol: Hi, After an update manual today, well snort refuse the start…. See this in LOG : FATAL ERROR: The dynamic detection library "/usr/local/lib/snort_dynamicrules/server-webapp.so" version 1.0 compiled with dynamic engine library version 2.6 isn't compatible with the current dynamic engine library "/usr/local/lib/snort_dynamicengine/libsf_engine.so" version 3.0. ::) ::) ::) Two things:  (1) do you have the latest Snort package installed?  (2) did you do a "remove and then reinstall" when updating the Snort package? Sounds like you have a problem another user had.  You have old versions of the precompiled shared-object rules libraries hanging around on your system.  To remove them, do the following: (1) Remove the Snort package (2) Get to a CLI (command line) prompt on the firewall and delete any "snort" directories you find in the /usr/local/lib path. (3) Install the Snort package again The above steps will not cause you to lose any configuration data so long as "save settings" is enabled on the GLOBAL SETTINGS tab.  That setting is "on" by default. Bill

Bottom line is, don't enable remote access to your pfSense box without a VPN. Until you have a VPN server setup, disable all remote access. SSH with pass + key auth is fine.

Or highlighted with red rows in the Alerts tab if you use it in Inline mode.

@Gemnon: ifconfig em0 -vlanhwtag With package "shellcmd" it is possible to apply it every boot up. I use the standard "shellcmd" type an it is working perfectly. Thanks to Gemnon

So I made some progress on this; the issue is that suricata is not properly generating the passlist rules for sid-msg.map (it's omitting a 'rev' column) which I think is what is tripping up barnyard2. I was able to disable/enable blocking to get the passlist entries no longer added to the .map file, but it seems like they get put back in if I switch over to inline.

@Birke: just look unter snort alerts and there select your wan interface. then you see the alerts on that interface. for example``` 06/23/2017 12:09:59 2 TCP Potentially Bad Traffic 31.193.143.x     50439 89.x.x.x   1433 1:2010935   ET POLICY Suspicious inbound to MSSQL port 1433 the "ET POLICY" shows from what rule category comes and the "1:2010935" is the number of the rule. with that info you can go to the wan interface configuration on snort and then select rules. select the rule category and search for the rule. or you just go to the snort alerts and click one of the red x for rule suppression/disabling. It gets a little better now, thx ! @Birke do you add alerts to suppress list or disable rule? And I am assuming after I get no or low level of alert I'd enable Block Offenders in interfaces? Thx

I believe snort works on what interface you set it and what rules you apply on those interface.

Bill, That's super awesome. Thank you so much! Charles

@chc-pr: Hi Bill. Thanks for your help. /tmp only has mnt and snap as subdirectories … is /tmp part of a longer path?  Thanks No, it is directly off the root but I forgot about something in my earlier reply.  When the update process completes (even if unsuccessful), it deletes the temporary sub-directory it created to hold the downloaded gzip rules archive.  So you will not see it except during the interval the rules update process is running. Still, though, how much free space is showing?  Getting MD5 errors on VRT, Coummunity and ET archives is a rare occurrence.  Is there anything unusual in your setup such as a proxy (Squid, for example)? Bill

I guess I didn't mention that pretty much the same thing happened on the primary as well… Ok.  I'll put it on a test bed and do the upgrade again to see if I can replicate it and this time check the config.xml. Thanks again Dino

@techbee: It seems that my location is blacklisted on their firewall and that causes the "Block reason: Gateway GEO-IP Filter Alert" Well, unless you can get them to whitelist your IP address; you won't be able to use the OpenAppID feature in the Snort package unless you create some of your own rules.  There are a few examples of user-written OpenAppID rules here in the IDS/IPS sub-forum.  You could try a search for "OpenAppID" to see what turns up.  There are also a few examples to be found with a Google search. Bill

@gc75: Hello all, I'm having this problem with the latest snort update: Jun 10 15:01:32 php-fpm 3909 /snort/snort_interfaces.php: The command '/usr/local/bin/snort -R 3825 -D -l /var/log/snort/snort_re03825 –pid-path /var/run --nolock-pidfile -G 3825 -c /usr/local/etc/snort/snort_3825_re0/snort.conf -i re0' returned exit code '1', the output was '' Jun 10 15:01:32 snort 17998 FATAL ERROR: /usr/local/etc/snort/snort_3825_re0/snort.conf(6) !any is not allowed in EXTERNAL_NET. Who helps me? # Define Local Network # ipvar HOME_NET [0.0.0.0,8.8.4.4,8.8.8.8,127.0.0.1,192.168.1.1,192.168.1.99/24,192.168.1.100,192.168.2.0/24,192.168.3.0/24,::1,fe80::1:1,fe80::20d:b9ff:fe3c:b614,fe80::20d:b9ff:fe3c:b615,fe80::f6f2:6dff:fe7e:a976] ipvar EXTERNAL_NET [!0.0.0.0,!8.8.4.4,!8.8.8.8,!127.0.0.1,!192.168.1.1,!192.168.1.99/24,!192.168.1.100,!192.168.2.0/24,!192.168.3.0/24,!::1,!fe80::1:1,!fe80::20d:b9ff:fe3c:b614,!fe80::20d:b9ff:fe3c:b615,!fe80::f6f2:6dff:fe7e:a976] Something in your setup is returning a null address.  The problem entry is "!0.0.0.0" in the EXTERNAL_NET declaration.  That is coming from some interface, DNS server, VPN or VIP. Bill

I use the default admin profile and had the same issue so that's not likely the problem.