Snort works on a copy of a packet, it doesn't block anything, it merely passes the offenders to snort2c table for pf to handle it. If you want an inline IDS/IPS, use Suricata. (Inline mode needs a supported NIC, plus I would not suggest this if you are using VLAN or shapers, see #6690 and #6023.)

Snort user manual is a good place to start http://manual-snort-org.s3-website-us-east-1.amazonaws.com/

Hi. This alerts are not real problem, do not worry. Time                        Process PID         Message Dec 14 16:02:30 kernel                      re1: promiscuous mode enabled Dec 14 16:02:26 snort 91336 AppInfo: AppId 4110 is UNKNOWN Dec 14 16:02:26 snort 91336 Invalid direct service AppId, 4110, for 0x80a2ab500 0x819d303c0 Dec 14 16:02:26 snort 91336 AppInfo: AppId 4043 is UNKNOWN Dec 14 16:02:26 snort 91336 AppInfo: AppId 4109 is UNKNOWN Dec 14 16:02:26 snort 91336 AppInfo: AppId 4115 is UNKNOWN Dec 14 16:02:25 php-fpm 85745 /snort/snort_interfaces.php: [Snort] Snort START for LAN(re1)... Dec 14 16:02:24 kernel         re1: promiscuous mode disabled Regards

Thanks jeffh, this is what I have been looking for:)

It would be nice if there was a way to send an IP through to the firewall to be blocked directly from the Snort interface. The reason I was thinking of doing it was just to preemptively block IPs that I consider bad. Anything trying to access RDP on my firewall is "attacking" me in some way so if I were to block them when I saw the RDP  connections, which wouldn't achieve anything, it may save me when they switch to SSH which is open and could cause problems.

I tried 2983 before, but there was a suricata update that I installed yesterday and the snort rules snapshot downloaded… So just in case none of the suggestions work, try to update the package.

By disabling the offending rule. No idea which one is blocking search engines from websites, but sure like hell must have been a genius upstream to enable that.  ::)

reboot pfsense

Already tried to get support from NetGate…. mentioned that in my post... they wouldn't help with Suricata - period.  So, I'm stuck with "the community".  I understand no one here is obligated to help anyone else, and that is fine, but the lack of enthusiasm for Suricata in general on these forums kind of bugs me. I can't run Suricata in Inline mode and I'm cool waiting for that.  I'd just drop back to Snort, which has enthusiastic support here, except for the fact that it can only scan ~20% of my traffic... I might as well turn it off.  Suricata examines over 99.5% of my traffic, except right now, it won't start on my only blocking interface, but only on the primary of my HA pair.  It starts fine on the backup firewall, so there is some kind of lower level corruption of the config files on my primary, but that is as far as I can troubleshoot. Just venting now... I'll shut up and get back to rebuilding my firewall.  :-\ UPDATE: After a complete rebuild of my primary firewall AND a hardware change from Intel X710 adapters to Intel X520 adapters, Suricata is now humming along in Inline mode.  I want to thank those who responded helpfully to my posts during the process and especially thank Bill Meeks for maintaining the Suricata package.

@BBcan177 Thanks for chiming in. I didn't want to hijack the thread ;) but in my case I'm looking forward to more insights of the per VLAN/subnet setting. Our use case would be to protect various customer project networks, all separated into different VLANs/subnets that are routed via our Firewall. All those networks get connected via our DC WAN line. But as only two or three customers ask about IDS/IPS usage, we'd like to setup snort (or suricata for that matte) in a way, it listens on WAN but only intercepts/filters/blocks traffic belonging to those customers and leave all other traffic alone. As different customers may have different needs a per customer (-> per public IP/per VLAN) configuration would be needed for that (IMHO), so that's the question I have if such a setup is possible at all. Greets

I'm currently only monitoring to fine-tune the ruleset since its been a while since I used snort. It alerted on a couple of IPv6 packets for 1:2018959  ET POLICY PE EXE or DLL Windows file download HTTP

look like your machine making normal domain name queries to ns3.google.com

Hi At my Snort > Preprocessors and Flow > LAN > Portscan Detection Enable: X Protocol: all Scan Type: all Sensitivity: medium Memory Cap: 10000000 Ignore Scanners: Ignore Scanned: I did a nmpap scan over the pfSense LAN IP: nmap -T4 -A -v 192.168.0.254 … Discovered open port 443/tcp on 192.168.0.254 Discovered open port 53/tcp on 192.168.0.254 Discovered open port 22/tcp on 192.168.0.254 ... And at Snort, LAN alerts: 2016-11-17 20:37:39 3 TCP Unknown Traffic 192.168.0.254   8081 192.168.0.12   51052 120:3   (http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE 2016-11-17 20:37:10 3 TCP Unknown Traffic 192.168.0.254   8081 192.168.0.12   50965 120:3   (http_inspect) NO CONTENT-LENGTH OR TRANSFER-ENCODING IN HTTP RESPONSE And other nmap scan from one host at LAN to remote host at Inet, none alert!!! OK, I will try what you say … Regards

Same traffic. Fresh squid install, pf 2.3.2, squid 0.4.23_1 Antivirus breaks the internet with the aforementioned error message on numerous sites (most, actually) Tried to run the a/v update, get this in the realtime tab: WARNING: Clamd was NOT notified: Can't connect to clamd through /var/run/clamav/clamd.sock: No such file or directory a/v disabled for now, which is really too bad…...

What ttblum post is all you really need and everything else is self explanatory but here is the pass list: https://doc.pfsense.org/index.php/Snort_passlist

First I try to answer your questions in your first post: 1, E.g. Imagine one day a zero day vulnerability is discovered in the openvpn software. With your updated snort ruleset you can protect your unpatched device against disclosing this vulnerability. 2, The example above applies here again. Because the manner TCP connections work snort will block the answer (reply to a LAN connection) coming to your WAN interface if a rule is matching the packet. So in this situation it "doesn't matter" whether a port is closed on your firewall or not. 3, E.g. You accidently or by mistake click to a link in an email message that points to a crypto malware file that would encrypt your whole disk. Snort will block the connection and save you from a catastrophic situation. 4, Pfblockerng will broaden the IPS function by blocking known malicious, attacking IP addresses and DNS addresses thus further protecting your network against malware, spam, ransomware and other threats. As far as I can tell by reading your second post, that you are not sure why to protect the traffic coming from the LAN interface. Your network could be attacked not just from the Internet. E.g. someone connects an infected USB drive to a computer in your network which spreads over all the machines. This infection could send private data out of your network BUT snort could block this too.