First thing of rule in security for me is never use someone else rules or whitelist. You as the administrator of your network should know it best and determine what is good and what is not. From your alert ip: 2017-02-23 11:55:30  3  TCP  Unknown Traffic  192.168.0.12     88  192.168.0.10     3871  120:3     (http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE Should .12 accessing .10? Is so then for what reason? Is it device or server compromise? If so did you check logs or do a wireshark capture? Things you need to ask. 2017-02-23 11:52:08  3  TCP  Unknown Traffic  151.101.124.84     80  192.168.0.15     34412  119:31     (http_inspect) UNKNOWN METHOD 151.101.124.84 seems to be pinterest. Is .15 a device that is accessing pinterest at the moment is pinterest block? Content not showing? Most of the time http_inspect are errors with HTTP conversation. But not all the case, sometimes these can be some sort of consolidated attack on your servers or possibly of trying to use them in an attack against another server or servers. In this case most likely not and consider safe if it isn't affecting the website or content I just leave it along. Hope that helps.

Yeah, remove and reinstall the package.

And why on earth is security software still using MD5?! :(

Thank you. I will try that when I'm back home. Out of the country for the next week.

Have you read the previous ~1356 threads about MD5 checksums mismatch? HTTP 429 - server too busy. Stop hammering it, and wait a day or two before someone bothered to fix the checksums again. Yeah, nothing at all will happen meanwhile, it's not like the signatures would be updated every 5 minutes or it'd be the end of the world to not have the latest ones. Do NOT hammer the server 20 times per hour. That won't fix it. Broken checksums and server too busy are not pfSense package issues.

@Redyr: @OCKTechMag: Ok. But what if…i mean just what if i want to use "Inline mode"?  :-\ My NIC 'em' is so called supported right? So why not HELP if you can to help me work it out? But your response is snark-ish don't you think? Whats the point of a TECH forum if folks seeking help are going to be meant with response as such? Don't you THINK that like many people i know that 'legacy' mode is available and work? Come on now! What chipset your em nic use? NIC info em0@pci0:1:0:0: class=0x020000 card=0x6c401462 chip=0x10d38086 rev=0x00 hdr=0x00     vendor    = 'Intel Corporation'     device    = '82574L Gigabit Network Connection'     class      = network     subclass  = ethernet     cap 01[c8] = powerspec 2  supports D0 D3  current D0     cap 05[d0] = MSI supports 1 message, 64 bit     cap 10[e0] = PCI-Express 1 endpoint max data 128(256) NS link x1(x1)                 speed 2.5(2.5) ASPM disabled(L0s/L1)     cap 11[a0] = MSI-X supports 3 messages, enabled                 Table in map 0x1c[0x0], PBA in map 0x1c[0x2000]     ecap 0001[100] = AER 1 2 fatal 0 non-fatal 5 corrected em1@pci0:2:0:0: class=0x020000 card=0x6c401462 chip=0x10d38086 rev=0x00 hdr=0x00     vendor    = 'Intel Corporation'     device    = '82574L Gigabit Network Connection'     class      = network     subclass  = ethernet     cap 01[c8] = powerspec 2  supports D0 D3  current D0     cap 05[d0] = MSI supports 1 message, 64 bit     cap 10[e0] = PCI-Express 1 endpoint max data 128(256) NS link x1(x1)                 speed 2.5(2.5) ASPM disabled(L0s/L1)     cap 11[a0] = MSI-X supports 3 messages, enabled                 Table in map 0x1c[0x0], PBA in map 0x1c[0x2000]     ecap 0001[100] = AER 1 2 fatal 0 non-fatal 5 corrected xhci0@pci0:0:20:0:      class=0x0c0330 card=0x1e318086 chip=0x1e318086 rev=0x04 hdr=0x00     vendor    = 'Intel Corporation'     device    = '7 Series/C210 Series Chipset Family USB xHCI Host Controller'     class      = serial bus     subclass  = USB     cap 01[70] = powerspec 2  supports D0 D3  current D0     cap 05[80] = MSI supports 8 messages, 64 bit enabled with 1 message ahci0@pci0:0:31:2:      class=0x010601 card=0x1e038086 chip=0x1e038086 rev=0x04 hdr=0x00     vendor    = 'Intel Corporation'     device    = '7 Series Chipset Family 6-port SATA Controller [AHCI mode]'     class      = mass storage     subclass  = SATA     cap 05[80] = MSI supports 1 message enabled with 1 message     cap 01[70] = powerspec 3  supports D0 D3  current D0     cap 12[a8] = SATA Index-Data Pair     cap 13[b0] = PCI Advanced Features: FLR TP

Hi pfBasic, All that is needed is a Splunk installation and the app is installed on Splunk. I am running it on a standalone Splunk installation and running it 24/7. When Splunk and Snort for Splunk is installed, the app is viewed through any browser that connects to the Splunk server. I haven't tried using Splunk and Snort for Splunk on a VM, but I can't see why it shouldn't be installed on a VM. The setup for the Splunk and Snort for Splunk would be:- 1.) Install OS of choice (Windows, Linux, Mac OS X, Solaris, FreeBSD(?)). I don't know if there are still versions of Splunk available for FreeBSD. 2.) Install Splunk Enterprise and get a free licence. 3.) Connect to the Splunk server via the IP address (eg. 192.168.0.1:8000). 4.) Install Snort for Splunk from the SplunkBase through the web interface of the Splunk server and start monitoring the Snort logs. That's about it. Hope this helps. fugglefeet.

At this point we can reliably recreate blocked traffic that is dropped in suricata and when we disable a specific category it starts to flow. But there is still no alerts in the log for that traffic or from that IP. But trying to find the offending rule when there is no alert and 1000+ rules in the category is next to impossible. Disable a category at a time to find the right one is not a nice way to find a offending rule. The only thing I can think of is the rules with "noalert" in them. @BMeeks Could these rules be the culprit? Can we get dropsid to take these rules into account and not add a drop to them ?

Awesome, got it. Thank you!

Currently algorithm is set to AC-BNFA.  I tried to run it on ACS, but it basically maxed out the RAM and made the interface very unusable.  It's running on a 2.3.2 on a Quad core celeron with 4GB RAM.

You should exclude things like .akamai.net .akamaiedge.net .amazonaws.com from DNSBL using Custom Domain Whitelist. (The last one is for Snort, IIRC, however having huge CDNs blackholed is absolutely undesired, whatever the use case.)

@bmeeks: @jpvonhemel: Hi Bill, I do have SSH enabled with keys and passwords disabled.    I thought this was secure and my port is not the typical 22.    I understand that a port scan would reveal my open ports and figured it was secure using the key pair.  I will take your advise and consider closing this port and accessing ssh via openVPN.  That goes for the web admin too. I don't block anything with snort, just log and review.  I do see a snort alert on WAN when I ssh in.  What was odd about my AWS/Twitter IP addresses was my public IP and port 10022 were the source and I didn't know how to make sense of it.  Source ports are usually random, or at least I thought they were.    It was odd that my public ip/10022 was sending to AWS/Twitter at port 443 Anyway, I have disabled the WAN interface for Snort and will just watch out for LAN alerts. I appreciate your help. Jerold Using SSH with keys is much better than a password.  A key can be OK, but you will see a constant stream of attempts if the bots find the open port.  Without the key they should be kept out.  If all you ever want is SSH, I guess for a home network key-driven logins are OK.  Personally I use the OpenVPN server on pfSense and a client to access my network remotely.  I then open select things from the VPN into my LAN. Bill Bill, Great information! first time I am trying to setup snort. I do agree that having OpenVpn open is the best way and access everything else behind it, but is OpenVPN protected against brute force attacks in snort by default or you have to set that up?

I managed to circumvent the issue by adding a check mark to the following option under the Snort LAN interface general setting: Stream Inserts Do not evaluate stream inserted packets against the detection engine Snort is now running but I find it interesting that the DNS alerts previously mentioned have stopped when using the LAN interface only. I've turned Snort on for both using all the categories and receive these types of entries again. I am guessing these are false positives due to the fact that clicking on the magnifying glass for some of the entries show that the IP resolves to ns1.google.com. 2017-02-08 23:18:10 1 UDP Attempted User Privilege Gain 216.239.32.10   53 192.168.0.5   50136 3:19187   PROTOCOL-DNS TMG Firewall Client long host entry exploit attempt IP address "216.239.32.10" resolves to host "ns1.google.com" I am still confused however why Snort LAN is not providing me these alerts as it must be an internal host being natted creating the false positives. Any input would be greatly appreciated. Cheers. E

update, working now. I uninstalled one more time.  Then manually deleted some of the snort scripts, files and directories.  On the subsequent reload, the package installed with no errors in the package and started correctly. However, these 3 rules failed to download.  I wait for results when regular downloads run as scheduled. Snort VRT Rules Snort GPLv2 Community Rules Snort OpenAppID Detectors