Hi Thank you for the reply, Well…did not really understand on what you mean I been trying to follow this guide http://www.moh10ly.com/blog/pfsense/configuring-snort-on-pfsense All I would want lets say i open port 443 webgui and someone tries to access many times eventually it gets blocked that IP as it shows on the guide But i was not able to get it working. Not sure if I add all the rules? And not sure what is this unknown rule http inspect See pics Thanks you [image: Clipboarder.2015.12.25-002.png] [image: Clipboarder.2015.12.25-002.png_thumb] [image: Clipboarder.2015.12.25-003.png] [image: Clipboarder.2015.12.25-003.png_thumb] [image: Clipboarder.2015.12.25-004.png] [image: Clipboarder.2015.12.25-004.png_thumb] [image: Clipboarder.2015.12.25-005.png] [image: Clipboarder.2015.12.25-005.png_thumb] [image: Clipboarder.2015.12.25-006.png] [image: Clipboarder.2015.12.25-006.png_thumb]

Good to know! I have disabled those rules for now but I feel there is still some cleanup to do before I get snort running smoothly and not act crazy on every bit that comes & go from my LAN. Another think for people micromanaging the rules:  we can remove "Enable/Disable" changes in the current Category, remove all Enable/Disable changes in all Categories (good if you want to return to the stock ruleset), disable all rules in the current Category, enable all rules in the current Category (those two are good to enable/disable all rules quickly), but there is a missing filter to display only specific sets of rules, for example all rules that were manually disabled or enabled, all rules currently disabled or enabled, etc… and a filter to search rules by SID would be great as well... especially during a fatal error..

No problem here in the USA with Snort VRT updates.  Here is the log output from just after midnight Eastern Standard Time today – Starting rules update...  Time: 2015-12-23 01:30:01 Downloading Snort VRT rules md5 file snortrules-snapshot-2976.tar.gz.md5... Checking Snort VRT rules md5 file... There is a new set of Snort VRT rules posted. Downloading file 'snortrules-snapshot-2976.tar.gz'... Done downloading rules file. Downloading Emerging Threats Open rules md5 file emerging.rules.tar.gz.md5... Checking Emerging Threats Open rules md5 file... There is a new set of Emerging Threats Open rules posted. Downloading file 'emerging.rules.tar.gz'... Done downloading rules file. Extracting and installing Snort VRT rules... Using Snort VRT precompiled SO rules for FreeBSD-10-0 ... Installation of Snort VRT rules completed. Extracting and installing Emerging Threats Open rules... Installation of Emerging Threats Open rules completed. Copying new config and map files... Updating rules configuration for: WAN ... Updating rules configuration for: DMZ ... Updating rules configuration for: LAN ... Restarting Snort to activate the new set of rules... Snort has restarted with your new set of rules. The Rules update has finished.  Time: 2015-12-23 01:30:54 Could be (or could have been) a temporary condition. Bill

That's not really ideal to be honest :(, but thank for the idea! It's really really annoying that Snort can't do this easily

The alerts are just DNS queries for .pw and .su domains. Often related to torrents webpages, like piratebay.su. You also need to make sure your dns servers, specially 8.8.8.8 is in your HOME_NET of your Snort interface, otherwise if you chose block offenders and select "both" in the which IP to block, your DNS server will get block with those alerts, therefore not allowing any external DNS…. Check if your DNS servers are in the blocked tab of your snort interface. As for the SNMP, make sure your firewall is configure with some permission to access this service, only allowing your specific IP. F.

Not familiar with the product but with Suricata you can block using TLS/SSL cert/fingerprint info https://redmine.openinfosecfoundation.org/projects/suricata/wiki/TLS-keywords OR with File magic you can intercept PGP key exchange, if they dont use TLS. Or you could block .chat domain name request… Shouldnt be too hard to block another chat service... F.

First I would check if Snort actually see HTTP Port 80 traffic and in which direction. Rune these two custom rules just to make sure the traffic is inspected/seen alert tcp $EXTERNAL_NET 80 -> $HOME_NET [1024:] (msg:"Incoming HTTP Port 80 Traffic"; metadata:service http; classtype:policy-violation; sid:72171001; rev:1;) alert tcp $HOME_NET [1024:] -> $EXTERNAL_NET 80 (msg:"Outgoing HTTP Port 80 Traffic"; metadata:service http; classtype:policy-violation; sid:72171002; rev:1;) You can even test AppID with this rule alert tcp $EXTERNAL_NET 80 <> $HOME_NET [1024:] (msg:"appID HTTP On Known Port"; appid: http; classtype:policy-violation; sid:72171002; rev:1;) If these rules triggers when surfing HTTP, not encrypted traffic on port 80, then everything is working…if not, maybe your EXTERNAL, HOME, or HTTP port arent set properly.. F.

Its a good question basically you want to add a noalert into the IP preprocessor rule. Something you could ask the Snort mailing list; is it possible to drop with a no alert with the IP preprocessor? Also, pfblocker might be the solution, leave the packet payload inspection to your IDS, and all ports or IP blocking to the firewall, PF… This is what I do. F.

Service Watchdog has problems with Snort in several areas.  First up, if you have more than one Snort interface, then you have multiple Snort instances and Service Watchdog gets fooled (it will see one Snort service running and thinks all is well when in fact every interface but one might be down).  Second, Snort is stopped by the rules update process to load new rules.  The Service Watchdog sees Snort down and restarts it quickly.  If the rules update is also trying to restart Snort, then you can wind up with multiple duplicate instances (two Snort processes on the same interface, for example). Have you seen this random stopping since the last Snort binary update?  I seem to recall a bug fix by the Snort guys to address a segfault error (or maybe that was Suricata… I get the release notes confused sometimes  :(). Bill

@jeffh: @bmeeks: These two options will be available in the next Snort update which I'm working on now.  Should be ready in a few days. The options will be included as part of the HTTP_INSPECT window that opens when you edit an HTTP Server configuration from the PREPROCESSORS tab. Bill Thanks! One question, why leave these options unchecked by default? Is it due to potential performance hits or is there something else that should be considered before enabling? No particular reason other than since they were never there before, they were sort of by default "unchecked".  In retrospect I probably should have defaulted them to "checked" and will do so in the next update. Bill

I would be very happy with this actually. I have quite a bit of traffic going through some pfSense boxes and suricata struggles considerably when under very heavy traffic loads. Especially under conditions like a (fairly small scale) ddos where the volume is still below the line speed limit, suricata is simply not able to keep up with the number of packets it needs to process. Even a pretty low budget GPU will allow for a significant amount of processing to be offloaded to it. This option is considerably cheaper than having to upgrade the whole box to get faster and/or more CPU cores.

Thanks BB, I'm still leaning towards PfBNG. Content filtering is getting harder due to the HTTPS nature of things, so lists of domains + cron jobs from pfBNG will fit nicely. Yes I've heard the same about ClamAV not being very good, but hey, it's better than nothing, and it still helps in a multi-layered approach. I'll throw pfBNG onto a test install of pfSense and go from there. Appreciate the info!

Brilliant, a firewall reboot dealt with it.  Navigating away did not remove the dirty file.  Might be useful if there were some sort of 'purge' facility available for handling unwanted pending changes. Regards, Rob.

If you pasted in your Oinkcode and are not getting errors, then you are getting the subscriber rules.  The Snort web site picks the rules based on the Oinkcode supplied as part of the rules download URL.  The Snort package on pfSense generates that URL for you behind the scenes using the Oinkcode you provide on the GLOBAL SETTINGS tab. Other than trusting that, you could manually verify by looking at the Snort VRT rule update release notes and verifying that any newly posted or modified rules show up that way on your box.  You can examine the text of individual rules on the RULES tab for an interface (only the rules from the categories you have selected will display, though). Bill

I've posted a comment on another thread, but I thought it would be useful to post it here. As stated above I am using a Gigabyte motherboard which uses Realtek gigabit chips, which were giving me problems on the WAN. I added an expansion card with Intel chips to try to resolve the problem (which it did) and it also had the side effect of eliminating my problems with Snort! The network issue was that my WAN interface uses PPPoE and this would fail after 3-4 days and I would need to reboot pfSense.

yup very common stuff..  You have to keep in mind when you turn on something like snort..  There is going to be lots and lots of noise ;)  you really have to tweak the rule sets to look for the stuff that is actual concern..  And then once you do that you might not see anything… Other than as a learning tool, I don't see much use for a ids in a home setup..  Unless you do manage to let one of your machines get infected pretty much all your going to see is noise..

You're welcome.  The thanks is really due to the guys in that linked thread who found the cause and fix.  If I recall correctly, Suricata upstream fixed a bug in that part of the code.  The fix then made installs that formerly worked (incorrectly it turns out, but they would start anyway) stop working and throw the memory allocation error. Bill

@Snailkhan: i am also receiving these alerts but the source address is the wan address of my pfsense assigned via ppoe one of the destination ip belongs to akamai technologies.. and others cannot resolve. If you run Snort or Suricata on the WAN interface only, then you can not see your internal LAN IP addresses in alerts because the Snort daemon sees everything after the outbound NAT rules are applied (and before incoming traffic is "un-NAT'd").  For this reason, many home users prefer to run Snort or Suricata on the LAN interface.  Here, the IP addresses are seen pre-NAT when outbound and post-NAT when inbound.  This makes it easy to identify internal hosts. Bill

Thank you for taking time to clarify this for me.