Hi Bill, How right you were. Just updated without a problem. Thank you very much for taking the time to get back to me. Kind regards John

You don't need a specific rule, but you must input the MAC/IP pairs for all hosts you want to monitor in the table under the ARP Spoof Detection section of the PREPROCESSORS tab for the interface.  Be advised this option can be quite a log spammer and is not good at detecting many types of ARP attacks.  In short, it's a feature that sounds better than it really works in practice.  That's my humble opinion.  I added the configuration to the GUI because some users wanted to implement it. Bill

@ecfx: I know about the snort rules on suricata and that was not a problem on suricata 3.2.2, the same rules were ignored and suricata still worked. The real problem it is the crash that now latest suricata version 4.0.0 cause it. To bad the previous suricata version has gone from  pfSense repo and we can't go back. In this case upgrade to suricata latest version was a mistake. Found this bug report on the Suricata Redmine site:  https://redmine.openinfosecfoundation.org/issues/2251#change-8823.  You can follow the progress there.  The pfSense package uses the Suricata binary from upstream.  The only thing the GUI package really does is just create the suricata.yaml text configuration file and then display some data from logs.  So any issues in the underlying upstream binary will also exist in the pfSense package. Bill

@ucok28: so how to make snort can block ? See my reply to you in this thread:  https://forum.pfsense.org/index.php?topic=139028.msg760114#msg760114 Bill

Yep, that was it. Now that my system disks are SSD, I really don't need the RAMDISK feature anymore. I am turning it off. Thanks again.

No, the blocks are stored in a pf table called snort2c.  That table is created by the pfSense code at startup and maintained in RAM.  On a reboot, it is dumped and recreated fresh but empty.  Persisting blocks has not real benefit anyway.  If Snort blocked the traffic once, it will block it the next time it sees it.  So why persist across reboots and add all that complexity to the code? Bill

Thanks. I was able to fix this by setting the Pass List option to none. Inline mode was not working with my NICs until the latest update so I think the Pass List setting carried over when I made the switch from legacy to inline.

Is there an overfew of supported networkcards for inline mode? Using 2.4.x and FreeBSD 11, is there anything different to the old version 2.3.x?

@doktornotor: @bmeeks: Those files are saved in /var/db/suricata/sidmods.  Those files are not automatically saved during a config backup/restore operation. Is there any reason why's this not saved base64-encoded in config.xml? It's annoying, the disablesid.conf is pretty important piece of configuration to avoid tons of FPs. Well, I was leery of making the config.xml too large by including what could potentially be a lot of text.  The ideal solution would be an API within pfSense itself where packages could register files to be included in automatic config backups.  Other packages store large text files locally as well (pfBlockerNG does, I think). Bill

Was going to suggest something like that, but I wasn't sure if custom rules over write normal rules. I use a custom rule to record when people are accessing my sftp server sat in my DMZ. Alert on SSH alert tcp $EXTERNAL_NET any -> $HOME_NET $SSH_PORTS     (msg: "SSH Detected";flow:established, to_server;     content:"SSH-";sid:1000001;rev:1;classtype:not-suspicious)

Ok, I know this is an older post but wanted to update that ET Pro is now $750/year. Total sticker shock on that one and out of reach for home and most small business users. So if you combine that with Snort VRT for a small business, you are over $1000/year. Can't sell that to any of my clients.

@Georget27: Should we create HOME_NET and EXTERNAL_NET under Firewall - Alias or is there another place to defining aliases just for Suricata please ? I was looking for this :) You will create  an alias under Firewall - Alias, and then assign the alias to a Pass List you can generate on the PASS LIST tab.  Uncheck all the default-checked options for the Pass List and then choose your HOME_NET alias down at the bottom.  You can name the Pass List whatever you wish, but suggest including "HomeNet" in the name. Now go to the INTERFACE SETTINGS tab for the interface and in the section for defining HOME_NET select the recently created Alias from the drop-down and then save. Bill

I also am using supported hardware and get quite a few of these bad pkt errors as well. I think I am going back to legacy mode for now. It is better than it was a year ago when inline really bugged things up. I will go back to it in the future. Real shame since legacy doesn't stop everything you want.

Thankyou ! :-)

You need to run u2boat to convert them to a wireshark pcap format :- u2boat snort_51260_igb0_vlan2.u2.1507590514 pcap.cap You can view them via :- u2spewfoo snort_51260_igb0_vlan2.u2.1507590514 The directories will start snort_IF-NAME*

ok. thx for your support. I will follow your advice!

@bbrendon: If you have your sid mgmt set to enable,disable; then you should be able to add to your disablesid.conf: pcre:protocol-command-decode I'm not sure if you need to escape the '-' but it should work. Thanks @bbrendon for the regex example.  It should work.  I, too, am not sure about the need for escaping the dash.  The OP can check the results of the regex by looking at the list of active rules for the interface.  The active rules will be found in the interface subdirectory inside a sub-directory called rules in a file called suricata.rules (or snort.rules for Snort).  The path is like so for Suricata (Snort is the same, just replace "suricata" with "snort" in the path): /usr/local/etc/suricata/suricata_xxxyyyyyy/rules where xxx will be the physical interface name and yyyyyy will be a random GUID number. You can open the rules files you find there to see the actual enabled runtime rules for the interface. Bill

Hi, I haven't tried it yet. Bmeeks pointed out in this topic that you should create a custom pass rule for your whitelisted IP addresses because in Inline mode passlist isn't working. Check this topic: https://forum.pfsense.org/index.php?topic=135331.0 Pass rule example: pass ip 1.2.3.4 any <> any any (msg:"pass all traffic from/to 1.2.3.4"; sid:1000001;) Rule wiki: https://redmine.openinfosecfoundation.org/projects/suricata/wiki/Suricata_Rules

I think I will bump up the defaults for Stream and Reassembly Memcap values in a future release. Bill