After doing some more testing it seems like I am never getting reaching my max internet speeds with Suricata inline mode, even with Snort stopped. I also started another thread (https://forum.pfsense.org/index.php?topic=113195.0) about slow speeds with Suricata inline mode in general. This other thread is on different hardware, different network and not running Snort concurrently.

Trying to modify the dropsid.conf file and having troubles…. Firstly, running the daily Beta releases. The on the SID Management tab there are no example.conf files. Trying to add a New file, I input dropsid.conf for a filename and a couple of lines in the body below and then save. After the save, there still is nothing there, nor after exiting and re-entering the GUI. I'm about to edit a file outside of the GUI and try the Import function. Any recommendations? Is there a location where the dropsid-example.conf file can be downloaded or pulled out of a distribution? TIA edit: Tried to create the file offline and import with same result. Copied crash report for this activity below: Crash report begins.  Anonymous machine information: amd64 10.3-RELEASE-p3 FreeBSD 10.3-RELEASE-p3 #104 95be4fb(RELENG_2_3): Sun Jun  5 10:51:54 CDT 2016    root@ce23-amd64-builder:/builder/pfsense/tmp/obj/builder/pfsense/tmp/FreeBSD-src/sys/pfSense Crash report details: PHP Errors: [05-Jun-2016 10:50:44 America/Denver] PHP Warning:  move_uploaded_file(/var/db/suricata/sidmods/dropsid.conf): failed to open stream: No such file or directory in /usr/local/www/suricata/suricata_sid_mgmt.php on line 125 [05-Jun-2016 10:50:44 America/Denver] PHP Stack trace: [05-Jun-2016 10:50:44 America/Denver] PHP  1. {main}() /usr/local/www/suricata/suricata_sid_mgmt.php:0 [05-Jun-2016 10:50:44 America/Denver] PHP  2. move_uploaded_file() /usr/local/www/suricata/suricata_sid_mgmt.php:125 [05-Jun-2016 10:50:44 America/Denver] PHP Warning:  move_uploaded_file(): Unable to move '/tmp/phpAm5LA8' to '/var/db/suricata/sidmods/dropsid.conf' in /usr/local/www/suricata/suricata_sid_mgmt.php on line 125 [05-Jun-2016 10:50:44 America/Denver] PHP Stack trace: [05-Jun-2016 10:50:44 America/Denver] PHP  1. {main}() /usr/local/www/suricata/suricata_sid_mgmt.php:0 [05-Jun-2016 10:50:44 America/Denver] PHP  2. move_uploaded_file() /usr/local/www/suricata/suricata_sid_mgmt.php:125 After investigation, found /var/db/suricata did not exist. Created /var/db/suricata/sidmods. Went back to the GUI and performed the import function again and the template was imported and displayed in the file list and I was able to select it from the Drop SID File section drop-down list.

Thanks.  The ignore scanned option is now available in the Snort pre-processor page. There remains an issue that you can't select UDP in the scan type pull down menu on that same page, as it's missing. I've fixed that here,  but it's waiting to be merged.  https://github.com/pfsense/FreeBSD-ports/pull/138

Your rule syntax is missing the CLASSIFICATION tag (uses the classtype keyword).  The Snort binary on pfSense wants that in a rule because of some customization done in the CSV output module.  If that section of the rule is missing, it causes problems. Bill

I'm seeing the same thing. I just noticed it today, but not sure how long it's been occuring.  I was running Snort rules from Jun 1st and EMThreat rules from Jun 2nd and still seeing problems.  Snort is blocking facebook, google, bing and others.  I forced an update and both rulesets are now dated Jun 2.  We'll see if that fixes it. I've always had my portscan sensitivity set to "low" and haven't changed anything with my Snort setup for months.  So hoping it was just a bad batch of rules.

The way I set mine up at home was without blocking mode enabled for a few weeks. That way nothing was actually getting blocked when an alert was triggered. I would of course need to check all alerts, and fortunately all were not major. I think I suppressed like 13 or 14 rules over the course of the non-blocking period, and when I didn't see any further alerts for a week, I put it in blocking mode. Most of the ones I suppressed were HTTP or HTTPS related, though I did also get a couple of SIP ones since my VoIP provider breaks the caller ID length (they add the country code to the number, making it longer than normal). Of course, like I mentioned, my setup is at a home and not a business… but you should be able to do something similar there too. Just keep an eye on the alerts a little more often during the non-blocking period and make sure they're harmless before you suppress them.

This is most likely a Bootstrap conversion bug in the GUI code.  Could be a "display only" bug meaning the correct values are actually stored and written to the snort.conf file.  I can add it to my list of bug fixes for the next update. Bill

@enriluis: Hi all! I'm using pfsense 2.3.1_1 , snort package 3.2.9.1_13, when i try to add ip list with some ip address it will be trusted for example,  so in the interface config do not show the ip list added. sorry about my English Sorry i was making in wrong place

Same place as it always was. Interface -> <if>Flow/Stream Subheader "Stream Engine Settings" /AV</if>

Do a quick search through this forum and you will find the solution.  You need to increase the STREAM memory settings.  Off the top of my head I don't recall the exact parameter.  Search for this error either here or on Google to find the exact parameter to tweak: [ERRCODE: SC_ERR_POOL_INIT(66)] All those other errors are caused by running Snort VRT rules on Suricata.  There are many Snort VRT rules that Suricata will not digest and will discard and not use because they contain unsupported rule options. Bill

I was able to use CODELQ traffic shaping  with Suricata Inline mode but could not use HFSC traffic shaping with the Inline mode. HFSC in the Inline mode created a problem resulting in Netmap grab packet errors that showed up on the consol screen. It was not clear what to do about these errors. While CODELQ does reduce buffer bloat it does not do it near as effectively as HFSC.

Unfortunately Snorby is no longer being maintained. PLEASE NOTE!  This will most likely be our last Snorby package update.  The creator and lead developer of Snorby has left the project and so Snorby is now considered unmaintained.  Snorby will be removed from Security Onion in the future and so you should begin transitioning to Squert, Sguil, and/or ELSA. http://blog.securityonion.net/2015/08/snorby-263-package-now-available-final.html

Still no change from the recommendation in the old thread.  Unless you have well over 1 Gigabit/sec of sustained throughput (not little bursts), then either IDS can keep up.  The differences are mainly cosmetic in my view. Suricata can log more kinds of extra details (not that it detects more alerts, just logs more details about specific traffic). Snort has the new OpenAppID preprocessor that Cisco/Sourcefire recently made open source. Suricata is multi-threaded and at the moment Snort is not, but refer to my first point about throughput.  Unless you are essentially some huge enterprise with very high sustained throughput on an interface, Snort is fine even if it is currently single-threaded. Suricata on pfSense can now use the new Netmap API and driver to be a true IPS (Intrusion Prevention System) with inline blocking.  Note this only works with certain NIC drivers, though.  Snort still uses libpcap to analyze copies of packets, and then inserts offending IP addresses into the pf firewall (in a table called snort2c).  So if inline IPS is important to you and you have a supported NIC, Suricata is a better fit. The comments in the older threads about rules support (rule options and keywords, mainly) are still true.  Suricata will choke on about 700-800 of the Snort VRT rules and skip loading them. Bill

Following your suggestion, I replaced my NIC with an Intel PRO/1000 MT. I then used the manual firmware upgrade process to update to the 2.3.1 Update image (downloaded from the pfSense site). I'm not sure if it's the new NIC or the manual update that did it (most likely the new NIC), but pfSense 2.3.1 is now running stable on my hardware. Thanks for all your help Bill.

@adam65535: I wonder if it should just be greyed out or shunk down to 1 line to somehow say it can not be set until blocking is enable.  Maybe that doesn't fit in the context of de-cluttering though.  Not a big deal for me as I know how it works now. There was some discussion along a similar vein back during the end stage of the Bootstrap GUI beta for pfSense (whether to hide or just gray-out controls that are not used/needed depending on other dependent option settings).  The idea behind hiding them completely is to reduce scrolling distance on the page, but there is the potential confusion factor when they are not there at all. Bill

Thank you for the super fast reply kind Sir! Winner winner chicken dinner post I found in your post history: https://forum.pfsense.org/index.php?topic=108365.msg603749#msg603749 # Category DROPS - All emerging categories emerging-activex,emerging-attack_response,emerging-botcc.portgrouped,emerging-botcc,emerging-chat,emerging-ciarmy,emerging-compromised,emerging-current_events,emerging-deleted,emerging-dns,emerging-dos,emerging-drop,emerging-dshield,emerging-exploit,emerging-ftp,emerging-games,emerging-icmp,emerging-icmp_info,emerging-imap,emerging-inappropriate,emerging-info,emerging-malware,emerging-misc,emerging-mobile_malware,emerging-netbios,emerging-p2p,emerging-policy,emerging-pop3,emerging-rbn-malvertisers,emerging-rbn,emerging-rpc,emerging-scada,emerging-scan,emerging-shellcode,emerging-smtp,emerging-snmp,emerging-sql,emerging-telnet,emerging-tftp,emerging-tor,emerging-trojan,emerging-user_agents,emerging-voip,emerging-web_client,emerging-web_server,emerging-web_specific_apps,emerging-worm #try next: #emerging* #  PCRE IPS Policy DROPS  | # ----------------- pcre:pcre:security-ips\s*drop In addition to this I missed the checkbox for "Enable Automatic SID State Management" (attached screenshot for future pfsense friends). Screenshot of drop is attached (redtext;blotted out my public ip). Overkill - attached screenshot of the "Interface SID Management File Assignments" block and screenshot of the whole page. [image: missedcheckbox.PNG] [image: missedcheckbox.PNG_thumb] [image: reddrop.PNG] [image: reddrop.PNG_thumb] [image: interfacesidmanagementfileassignments.PNG] [image: interfacesidmanagementfileassignments.PNG_thumb] [image: all.PNG] [image: all.PNG_thumb]

Suricata seems to allocate 1.5 detection threads per core.  So on my Firewall with 4 cores, I get 6 detection threads and a management thread making 7 for a single LAN interface. More information in the Threading sections here: https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricatayaml

@jpvonhemel: All is well and I am only seeing alerts and no blocking now.  Any idea how I ended up with duplicate processes running? Thanks, Jerold This can happen when your WAN IP address changes/updates or for whatever reason the system issues multiple "restart all packages" commands in a short period of time.  Snort can get started multiple times in this scenario.  There is logic in the shell startup script for Snort that tries to prevent this, but it does not always work. Bill