@heliop100 said in snort not keeping blocked hosts on reboot: @bmeeks said in snort not keeping blocked hosts on reboot: Why do you need to keep the offenders blocked as long as possible? Do yo I want to block torrents downloads, As the seeds keep changing, torrents slow down, but not stops. As the blocked hosts list grows, the download speed slow down. After the pfsense reboot the process need to begin from scratch again. Thanks I fail to see a connection between persistent blocks and the action you describe. Explain to me how you think that persistent blocks make a difference in your scenario. A block is a block, it does not matter if it just happened or if it happened three months ago. If you have blocking enabled and "kill states" enabled, the torrent from that specific seeder will stop. Will the client perhaps try and find another seeder, sure, but then that seeder will be blocked if the rule is there to trigger on the packets. No IDS I am aware of has persisent blocks. In fact, an IPS does not even have the capability of persisting a block for any period of time. An IPS performs real-time drops of packet data, but there is no persisted block. Persistent blocks that hold across a firewall reboot is not a design feature of the Snort package and no such feature is ever planned. There is no need for it.

@bmeeks That's exactly what I did, except it overwrote the first file instead of creating a 5th. I'm not sure why. I can still change the names back and can get it to reproduce the same problem. Thanks for the help. At least I'm now able to add the extra conf files that I needed.

I've added it to my TODO feature list for Suricata.

Yeah, that's not supposed to happen. I will put it on my TODO list of bugs to fix. In the meantime, here is how to disable the feature if you want to stop using it. The steps below turn off the functionality of SID MGMT. Click the checkbox so the page info is displayed on the SID MGMT tab. Down at the bottom of the page, make sure all of the drop-down selectors for the Enable SID List, Disable SID List and Modify SID List are set to "none". Now click Save. If you want to immediately rebuild the rules for each configured interface, click the Rebuild checkbox beside each interface before clicking Save. This will remove the list assignment and thus no SID MGMT settings will be used.

This issue is now corrected in the latest version of the Snort package (v3.2.9.9_1 for pfSense-2.4.4_3 and v4.0_6 for pfSense-2.5-DEVEL).

@haroldye said in Snort can not update. it gose unknow all the time: Thank you very much You are welcome. Sorry for the confusion. I just posted a notice in the IDS/IPS forum so if others run into this they will know what's going on.

@everfree said in Snort v3.2.9.9 - not blocking?: Suricata 4.1.4_5 Legacy Mode blocking not actually blocking offender IPs in some setups. I have the "Which IP to Block" setting on BOTH. I think it is not fixed fully. You posted in a Snort 3.2.9.9 thread, so I read your initial post quickly and missed the Suricata part in the message. Sorry about that. I automatically assumed you were posting about a Snort issue. I get a lot of messages from various users and sometimes get all the different posts confused. I will need to check on Suricata using a test VM. Just noticed this post this morning in another thread for a different user: https://forum.netgate.com/topic/145891/my-suricata-not-blocking-legacy-mode. Look in your suricata.log file for the interface and see if a similar message is shown for your system.

@NollipfSense said in Suricata Inline and Rules: @bmeeks said in Suricata Inline and Rules: A corporate network does not want employees to have access to iTunes, Hulu, Netflix, etc. They want that stopped, so they configure security that way. A home network most definitely generally wants those services available, so you can't just go copying someone's list of rules and suppress listings unless you fully understand what those rules are actually doing. I understand Bill; however, all rules under stream-events.rule had been disabled as well as the only iTunes rule under Emerging-policy.rule had been disabled. I believe the author was from England. What about these two rules: 1:2009582 ET SCAN NMAP -ss window 1024 and 1:2027863 ET INFO Observed DNS Query to .biz TLD...I am getting lots alert so they were dropped. My opinion, and the advice I give home network users, is to enable the Snort rules download and then enable the IPS Policy - Connectivity setting. That's really all you need. Enable no other rules. That provides plenty of protection from most of the threats out there, especially if you keep your Windows machines updated with the latest security patches (in other words, leave Windows Update enabled and have your machines on a UPS so they just are on all the time and update late at night). If an admin has a good bit of IDS/IPS experience and also quite a bit of networking theory knowledge, then he can experiment with maybe the IPS Policy - Balanced setting and perhaps enable some additional Emerging Threats rules. But be prepared to have Google on speed-dial so you can quickly research potential false positives. All those events rules provided with a default Suricata installation are designed to simply detect deviations from RFC behaviors. They are triggering on protocol anomalies, and nearly 100% of the time those anomalies are completely harmless. So never set those rules to DROP, and if the alerts bother you, then disable those rules entirely. But don't obsess with them triggering, as they tend to false positive like crazy. Those ET DNS query rules are also only marginally useful at best. As you see, they will trigger quite often on even normal web traffic. Some of them will even false positive fairly often. For home users these kinds of rules are more of a bother than an addition to security. I don't run them on my system. If you keep your PC software updated, that's 95% or more of the network security battle won right there! Some IDS/IPS users want to start out with a whole bunch of enabled rules because they think it will make their setup "secure", but they quickly get frustrated because so many things (apps) get broken - and sometimes in very strange ways. Take my advice, keep it simple for many months as you get your feet wet administering an IDS/IPS. I have what I believe is a very secure setup for my home network using Snort. I may one day get zapped with a zero-day -- who knows, but I am pretty confident that my setup is secure. And my iTunes works, my Netflix works, my Facebook and YouTube videos work, and all the web sites I visit open up and display properly. I honestly do not know the last time Snort crashed or gave me any issue on my firewall, and I've been running it for many years. I get maybe one alert per month on average on my LAN from Snort. I do get several an hour on my WAN, but that's simply because I run a handful of ET rules there solely to generate alerts on purpose so I have data to use when I'm working on Snort package development tasks.

@Simbad said in Snort v3.2.9.9 Package Update - Release Notes (for pfSense-2.4.4 RELEASE): Thank you, I'll bury my head in logs like an ostrich in the ground,... [image: 1566154485077-7566b68f-a11d-4f84-9fca-df8455d0a495-image.png] I would recommend first temporarily turning off the option for sending alerts to syslog. Do that for all interfaces and then restart Snort on all interfaces. That will make for a quieter log where other messages will more easily stand out. Once you track down the problem with the troublesome interface, you can re-enable the syslog alert output.