The pull request to update the Suricata package to 4.1.3 has been posted for the pfSense developer team to review and merge into pfSense-2.5 DEVELOPMENT. Here is the link: https://github.com/pfsense/FreeBSD-ports/pull/631.

Thought i would post for my own reference and anyone else with this problem.... Rebooting the firewall results in Suricata listening on all interfaces with 1 instance (startup). So, the problem fixed itself.

Yes, Snort and Suricata are IDS/IPS packages that can be used in pfSense. Google would be a great place to compare features and differences. (Lots of reading available on the subject) If you are trying out either for the first time, BMeeks posted a reply to a question for another user trying out Snort that may be of some use for you. (another good read): https://forum.netgate.com/topic/141743/best-rules-to-best-protection-in-wan-and-lan-interface/2

Hmm... that sounds like something you might want to ask the upstream Suricata team. I'm not sure of its significance. The Suricata bug reporting/issues site is here: https://redmine.openinfosecfoundation.org/projects/suricata. When giving them your configuration, tell them you are using inline IPS mode with netmap on FreeBSD. If you are on pfSense 2.4.x, then the FreeBSD version is 11.2; if you are using pfSense-2.5-DEVEL, then the FreeBSD version is 12.0.

@bmeeks thanks a lot!

Thank you both for your input. Yes this will be a huge learning curve for me. I will keep on analyzing.

I'll probably just run anti-malware then and front everything in the DMZ with a WAF. I already have it behind NGINX and cloudflare. Thanks for the help!

@bmeeks said in Still seeing suricata stop an interface due to .pid error: @val said in Still seeing suricata stop an interface due to .pid error: @bmeeks PM you the log file....it's way to big to post here. Thanks bmeeks. I looked through you log file. What version of the Snort Rules Snapshot file are you using? You should be using only rules packages for Snort 2.9.x if you are running Snort rules with Suricata. Your file name should be snortrules-snapshot-29120.tar.gz. Do not use the Snort3 rules (that means do not use any Snort rules file with 3 in the name). You should not be seeing those "unknown reference" error messages. The only time I've noticed those is when the user has downloaded the rules meant for use only with the new Snort3 beta package from the Snort team. Hi bmeeks I have since moved away from suricata backon Snort for now, my internet connection it's through an PPPoE connection so from my understanding suricata doesn't play well with PPPoE. I have tried few difference thing all result the same suricata still kill it self and wouldn't start again til I delete the pid file. Thanks for all the help.

If you can't figure out how !any got there, i'd be tempted to remove snort after unticking Keep Snort Settings After Deinstal then do a re install. I'd follow these steps to configure snort as written by @bmeeks who maintains the snort package. https://forum.netgate.com/topic/55095/quick-snort-setup-instructions-for-new-users/147

Netmap is not likely to play very well with a transparent firewall bridge setup, especially with the way netmap is currently implemented within Suricata. Some improvements are planned upstream for netmap, but there is not yet a timetable for their release. Also note that Suricata will not work properly with a PPPoE type interface. I mention that because that is a popular type of setup for a WAN. The most popular is DHCP, but there are lots of PPPoE connections. The least popular setup is a static IP on the WAN. If you want to continue with the transparent firewall arrangement, I recommend you use Legacy Mode blocking.

I am a little confused with this part of your question: the people I get support do not use static ip so I can ignore the requests coming to the port as I choose where and how to write a rule. I suspect English is perhaps a second language for you, and as a native English speaker, I'm having trouble following your chain of thought. Do you mean that your VoIP provider's endpoint server has a dynamic IP address or do you mean your end of the connection has a dynamic IP address? If you are dealing with a dynamic IP address, then preventing a block by IP is not possible. Snort can't deal with changing IP addresses within a Pass List. Why don't you just disable the Snort rule that is causing the block? You can do that on the ALERTS tab.

Thanks everybody for the replies! I understand it's not Snort's job to resolve the domain and I don't have any problem with seeing these kinds of alerts. However I would have at least expected it would be able to show me which domain is being looked up, moreover once the communication is established (e.g. someone visits the website or downloads something from it) Snort would kill that state and put the IP in the blacklist.

@bmeeks said in How to send Snort alert logs to Graylog without Barnyard2?: @rlrobs said in How to send Snort alert logs to Graylog without Barnyard2?: Filebeat is the best option... but.. how to install the filebeats in pfsense? https://www.elastic.co/downloads/beats/filebeat Convert packet .deb/rmp in pkg? Use .tar.gz? No, it is not likely that things compiled for Linux will work 100% correctly within FreeBSD due to shared library issues. It is my understanding that Beats in FreeBSD is a new and better (but still compatible) version of Filebeat. So FreeBSD's Beats is the same as Filebeat (at least that's my understanding). @bmeeks There is an official beats package for pfsense. http://pkg.freebsd.org/FreeBSD:11:amd64/latest/All/

Ok, I'm fine with this netmap setup. I have been using it since you had posted that Inline mode is available.

This worked for me, but I had to go through the additional step of assigning my new list to the interface that was generating the error (LAN in my case). I went to Services, Snort, Interfaces, edited the interface, scrolled down to "Choose a Suppression or Filter List (Optional) and added my newly created list then clicked Save. [image: pf-Sense-Troubleshooting-New-rule-2.png]

@swmspam said in Inline IPS to block students from using VPN in educational subnet: bmeeks, I agree that writing some new rules for purposefully sneaky VPN clients would be useful to the community at large, especially for administrators struggling with middle schoolers and educational subnets. I'm starting by reading up on forum posts of detecting OpenVPN using Snort (including posts on this forum). It doesn't look very promising because OpenVPN can wrap itself in HTTPS or other legitimate protocols. This is why I seldom favor or recommend using technical solutions to police what is fundamentally a problem of discipline and personal responsibility when it comes to Internet usage policy. As you see with this VPN client, the technical challenges are tough if you depend solely on technically preventing the software from functioning. On the disciplinary side, though, you generally only have to cut off one person's head in order to get the full attention of the rest of the crowd --- LOL. Okay, just a little bit of hyperbole there, and I'm certainly not suggesting cutting off the head of a middle schooler; but some strong disciplinary action on a few can many times convince the remainder that it's not worth taking a chance participating with the banned activity.

Contrary to my last answer. As time flies away, it might have been before Jan 18 so this issue may be fixed. I'll test again later.

CPU clock speed is going to be most important. Snort 2.9.x is single-threaded, thus it can't do much with multiple cores. Suricata is multi-threaded and supports multiple cores, but a number of independent tests of its multi-core multi-thread performance don't indicate huge gains across the board (at least not what most folks would expect). One thing to consider with high core count processors (if you use Suricata) is the need for larger amounts of RAM. Suricata bases its initial TCP Stream memory buffer setups on the number of CPU cores. So, for example, with an 8-core CPU, Suricata will usually fail to start and throw a Stream Memcap memory error with the default package configuration. You have to greatly increase the Stream Memcap settings with high core count CPUs. There are some threads about that here in the IDS/IPS sub-forum. For home use, any dual-core or quad-core CPU is plenty of horsepower. I would suggest 2.5 GHz or higher for the clock speed. Higher is better of course better.