This would involve quite a bit of overhead.  Currently none of the references data is recorded with alerts.  That is just the way Snort and Suricata work.  The only thing you get is the GID:SID and a handful of other parameters.  The References are not included, so the PHP code would have to work some complicated magic behind the scenes to find and link the references. If you want this level of information, better to configure Snorby or a similar logging repository and send alerts over there.  Snorby has a process where it will automatically find the references if you configure a separate product to provide it the raw rules files.  To do this right and with decent speed would require a relational database.  You don't want that running on your firewall. Bill

Hi Bill! Thanks for the insights of how things work :) If it can be modded great, it it can`t I will click trough :) Not a problem at all.

@THS: Hello. I noticed that my CPU was hitting 77 degrees C with my 100Mbps connection saturated. What Search Method is ideal for this setup ? Default is AC-BNFA.  I notice that my system is only using 1.8GB out of the 4GB available. Is one of the search methods easier on the CPU but better utlilizes the 4GB ? Also, what about ET Open rules ? For VRT, I have IPS Policy Selection set to "Balanced" There is no Policy for ET Open rules.  Which ones are recommended for home / home office use ? I am NOT running any servers btw. I have a similar set-up to your system running snort and its using less than 1GB! Try AC-BNFA-NQ for search method. Personally I do not tick/use IPS Policy,  I pick the rules manually (untick that option to pick rules manually). I also use Snort GPLv2 Community Rules (VRT certified) If you choose to pick the rules manually I recommend starting with the following rules below, test them for false positives and suppress the false positives there will be quite a few when your just starting to use snort. Add new rules as you go along test and suppress. Good luck! Start with these: emerging-malware.rules, emerging-trojan.rules, emerging-worm.rules, emerging-ciarmy.rules, emerging-current_events.rules, emerging-dshield.rules,  emerging-compromised.rules, emerging-scan.rules, emerging-info.rules, emerging-exploit.rules,  emerging-mobile_malware.rules, emerging-misc.rules.

For anyone else having this issue:  delete the file /var/run/snort_pkg_starting.lck and try again. Snort should start right up.

Very, very bad idea to use RAM disks with Snort or Suricata.  You will run out of disk space and have weird issues.  You just experienced one of them. I suggest only running the IDS/IPS packages on systems with a relatively large hard disk (conventional or SSD) and stay away from NanoBSD installs and the use of RAM disks. Bill

Those files reside physically on the firewall and are not part of a config.xml backup.  That's why the icons are there to download the files so you can save them offline elsewhere. Bill

@BBcan177: How do you quickly find out in which category that SID is, BB? In the screenshot… it says "INDICATOR-COMPROMISE" So short answer: "Snort-Indicator-Compromise" category… Looking at the rule, its enabled with the "Balanced" and "Security-policy" setting: alert udp $HOME_NET any -> any 53 (msg:"INDICATOR-COMPROMISE Suspicious .pw dns query"; flow:to_server; content:!"|01|u|02|pw"; content:"|01 00 00 01 00 00 00 00 00 00|"; depth:10; offset:2; content:"|02|pw|00|"; distance:0; fast_pattern; metadata:policy balanced-ips alert, policy security-ips drop, service dns; classtype:trojan-activity; sid:28039; rev:5;) You can click on the "Disable Sid" Icon in the Alerts, or Blocked Tab, to disable on the WAN… and then goto the "LAN Rules" tab in Snort/Suricata and select the Category "Snort_indicator_compromised.rules" and enable sid 28039. You might need to re-start the Interfaces for it to take effect... If you find that its a False Positive, you could add a suppress to the LAN Interface suppress List, so the rule will only fire for other .pw domains, excluding this particular DST IP... (Once you figure out which DST IP you want to suppress that is...) suppress gen_id 1, sig_id 28039, track by_dst, ip x.x.x.x You know I love you with all my heart, BB  :P But I have no'Snort-Indicator-Compromise'-category, really not ;D Pic to prove**:-*** It turns out I found it, thanks to your tip, in IPS Policy - Security.It was disabled, I enabled it now. Let's see what shows up now. Thanks BB  :P [image: BB_daman_hecan.jpg] [image: BB_daman_hecan.jpg_thumb]

Just wanted to confirm that this happens even in a vm (VMware Workstation 12 Pro), so it's not a hardware/driver issue.

i have doble the rules for LAN interface performed the test for some unknown reason…may be start/restart service i start seeing wan alerts. i have no explanations ...still looking on to understand why it start working now

Bill, thank you for the additional information. It is helping my understanding click together. I am not interested in MITM attacks. I just want to shut down certain things not eavesdrop. fsansfil, thank you for showing a way to achieve what I was looking for. There is so much to Suricata to take in. As with anything, time and experience is what is needed along with some outside help.

Thanks Bill your thoughts are the same as mine. It must be their web hosting service.

@TEP71: Bill, Thank you very much. I understand I will have to change this every time there is an update. It wasn't a hard change to make and it is something I can do when needed. Thank you again for your time. –Thom Glad to be of help. Bill

That's happening because of a SIP rule (spp_sip)… and yeah, a web address URL for many sites would certainly be too long for SIP. The better question would be why a SIP rule is being triggered for a web connection.

Your rule is missing the proper action keyword and a classification parameter.  The valid action keywords are generally "alert" or "drop".  On pfSense, "alert" is the only valid keyword.  The classification is a parameter string obtained from the classification.config file. One easy way to test Snort is to enable the Emerging-Threats Scan rules, then visit one of the online scanner web sites and have it scan your public IP for exposed services.  That should trigger Snort.  You can do the same by scanning your WAN IP (assuming that's where Snort is installed) with nmap. Saves you the problem of writing a custom rule.  Snort is quite unforgiving with syntax errors as you see. Bill

Not Nano - full standard install from .iso onto 90gb SSD. Yes, I did a complete wipe and installed 2.3 Release, then set up pfBlockerNG and Suricata. I couldn't get suricata to work at all. I disabled it, installed Snort, set up and it is working. Then, I upgraded to 2.3.1 Dev and it is still all working. I think i may have the netmap issues going on. I'll wait until problem is solved before tackling Suricata again. Thank you for your help and your comments in other threads about issues with netmap.

@pfsenseboonie: Wishlist Item When listing internal IPs in alerts tab it uses the real IP and not the IP of the external pfsense interface. For example… client = 1.2.3.4 router external iface = 2.2.3.4 ISP modem = 2.2.3.1 ping from any client to ISP modem. In alerts log would be DST = 2.2.3.1 and SRC = 2.2.3.4 Running Suricata (or Snort) on the WAN means the sensor sees inbound traffic before any NAT rules have applied, and outbound traffic after NAT rules have been applied.  Either way internal hosts are generally not visible if you use NAT and have Suricata or Snort on the WAN.  The solution to this problem is to run the sensor on your LAN interface(s) and not the WAN when using NAT. Bill

Bill: Thanks for the update. You have confirmed the issue. Howard

@vbentley: I am unfamiliar with bootstrap, but I think this is a style sheet issue. I have had a quick look but run out of time today to actually start experimenting with changes. In pfSense.css it look like this style dictates the width .col-sm-10 .form-control {     width: calc(50% - 15px); } I will try and get back to this later in the week. You are correct it can be fixed by modifying the CSS, but it would not be good behavior for a package to do that.  You can override the Bootstrap default style for any object (HTML element, actually) by adding the appropriate attribute on the page.  I've done that in other places within the GUI for Snort and Suricata for textarea controls.  I will do the same for this control. If you want to experiment (and maybe learn a little about Bootstrap), here is an example of adding the additional attributes to the textarea control – $modal->addInput(new Form_Textarea ( 'logtext', '', '...Loading...' ))->removeClass('form-control')->addClass('row-fluid col-sm-10')->setAttribute('rows', '10')->setAttribute('wrap', 'off'); In Bootstrap, the class "col-sm-10" sets the width of an element relative to Bootstrap's 12-column grid.  It assumes the display device's screen is evenly divided into 12 columns.  So the widget above is set to be 10 columns wide.  Ignore the use of $modal.  In the file we are discussing for editing a Suppress List, the variable name is $section. Bill