AC-BNFA or AC-BNFA-NQ. There are several discussion on why this should be the recommended setting, which you can google or search it.

Dont want to dig this up again but i have posted on a few times about VIP for snort or suricata, Have not heard any updates since but would it be possible to only monitor the VIP? Thank you

Something you might be interested in while learning pfSense and specifically IPS is pfMonitor. Check it out in the link. It is in Beta now, the developer is rolling out features rapidly. It lets you compare your firewall hits to other firewalls, gives notes and articles about new attacks and IP's and categorizes IP's so that you can figure out which attackers are serious or true attacks and which are just false positives. For example, this IP has over 1000 hits on my firewall, but none on any of the other firewalls in the program, which seems kind of strange to me, but probably is because I use a few custom rules that caught the IP (which it sounds like is a FP). It summarized all of the ports, and how many times that IP has hit my firewall when I searched it. It really has a ton of great data in it. I'll be writing up a review and a quick youtube video on it after I've had a chance to use it for a while and figure out all of its uses. https://forum.pfsense.org/index.php?topic=120972.0

In additoin to scp, you can download the PCAPs via the webgui Services->Snort->Alerts, Alert Log Actions: Download But if the alert file gets too big it can cause the php process to crash and you may have to resort back to scp.

@doktornotor: The thing you are probably missing is that you should NOT select any of the pre-defined policies for interface if you want to select individual categories. (IOW, untick the Use IPS Policy checkbox above). Thank you! That was it.

Anyone?

can be closed. problem was solved by increasing the Flow Memory Cap and Stream Memory Cap to 128MB

Consider to manual you should use it in such way ignore_scanned { Snort IP List } Snort IP List you can create by this guide https://doc.pfsense.org/index.php/Snort_ip_list_mgmt

Additional steps I've taken… I found where the settings are retained in this post: https://forum.pfsense.org/index.php?topic=80365.msg438860#msg438860 I uninstalled, removed all settings, and reinstalled.  Finally, a fresh install.  However still no luck. I enabled detailed startup logging, and I'm starting to see something.  On every boot attempt and on every interface refresh, I'm noticing it dies in the same place - while parsing "file-executable.so".  Here's the last couple of lines from the log: Mar 25 22:26:01 snort 30401 PortVar 'DCERPC_NCACN_IP_LONG' defined : Mar 25 22:26:01 snort 30401 [ 135 139 445 593 1024:65535 ] Mar 25 22:26:01 snort 30401 PortVar 'DCERPC_NCACN_UDP_LONG' defined : Mar 25 22:26:01 snort 30401 [ 135 1024:65535 ] Mar 25 22:26:01 snort 30401 PortVar 'DCERPC_NCACN_UDP_SHORT' defined : Mar 25 22:26:01 snort 30401 [ 135 593 1024:65535 ] Mar 25 22:26:01 snort 30401 PortVar 'DCERPC_NCACN_TCP' defined : Mar 25 22:26:01 snort 30401 [ 2103 2105 2107 ] Mar 25 22:26:01 snort 30401 PortVar 'DCERPC_BRIGHTSTORE' defined : Mar 25 22:26:01 snort 30401 [ 6503:6504 ] Mar 25 22:26:01 snort 30401 PortVar 'DNP3_PORTS' defined : Mar 25 22:26:01 snort 30401 [ 20000 ] Mar 25 22:26:01 snort 30401 PortVar 'MODBUS_PORTS' defined : Mar 25 22:26:01 snort 30401 [ 502 ] Mar 25 22:26:01 snort 30401 PortVar 'GTP_PORTS' defined : Mar 25 22:26:01 snort 30401 [ 2123 2152 3386 ] Mar 25 22:26:01 snort 30401 Detection: Mar 25 22:26:01 snort 30401 Search-Method = AC-BNFA-Q Mar 25 22:26:01 snort 30401 Maximum pattern length = 20 Mar 25 22:26:01 snort 30401 Search-Method-Optimizations = enabled Mar 25 22:26:01 snort 30401 Found pid path directive (/var/run) Mar 25 22:26:01 snort 30401 Tagged Packet Limit: 256 Mar 25 22:26:01 snort 30401 Loading all dynamic engine libs from /usr/local/lib/snort_dynamicengine... Mar 25 22:26:01 snort 30401 Loading dynamic engine /usr/local/lib/snort_dynamicengine/libsf_engine.so... Mar 25 22:26:01 snort 30401 done Mar 25 22:26:01 snort 30401 Finished Loading all dynamic engine libs from /usr/local/lib/snort_dynamicengine Mar 25 22:26:01 snort 30401 Loading all dynamic detection libs from /usr/local/lib/snort_dynamicrules... Mar 25 22:26:01 snort 30401 Loading dynamic detection library /usr/local/lib/snort_dynamicrules/browser-ie.so... Mar 25 22:26:01 snort 30401 done Mar 25 22:26:01 snort 30401 Loading dynamic detection library /usr/local/lib/snort_dynamicrules/file-executable.so... The plot thickens. I went into the directory in the shell, moved file-executable.so out of the directory, and now my WAN interface comes up.  Though I'm sure it will choke on the next rules update. Thoughts?

@jeffh: Barnyard is not required and I may be wrong, but I believe will require a separate Barnyard server. If you are new to Snort or Suricata I would recommend picking one, and working on understanding the way it functions before looking into Barnyard. Thank you both, I see that barnyard2 is a dependency for snort and suricata. Is this to enhance performance from another process?

As far as I can tell it's just for visibility.  I don't think I've seen it change.

The only way I can think to do what you're asking would be to put the malware sandbox on a different interface, and not run Snort on that interface. This could have other security benefits as well to keep the malware away from any other systems.

I hear you dok. I read in other places your distaste for Snort halting upon hitting a broken rule and saw that in the code it coughed up at me. I am partly guilty here too because after the reinstall merely deleting the interface, reinstalling the interface and redownloading the rules seemed to remedy the issue I was having. Thanks dok for looking it over and thanks to everyone for your work on pfSense, packages, and your help in these forums.