• Suricata

    3
    0 Votes
    3 Posts
    11k Views
    M

    FOlks, I ws seeing this same exact problem running on an e1000 adapter as well.  I found disabling hardware checksumming in PFSENSE under ->SYSTEM->ADVANCED->NETWORKING stopping all my stream errors.  Its too bad this is an able to be set on an interface by interface basis, as I really only need this on the WAN inetrface, but pfsense is running on beefy hardware and so far everything seems fine performance wise.

    This was a really tricky error to find, so I wanted to make sure others that try and run suricata on a virtualized pfsense have an easier time than me fixing it.

    Thanks
    Mike

  • Frequency of alerts?

    2
    0 Votes
    2 Posts
    834 Views
    P

    I think I found the problem - I forgot to hit save on one of the tabs.  All good now

  • 505 error (RESOLVED)

    3
    0 Votes
    3 Posts
    1k Views
    P

    The problem seems to have been an extra space that got inserted when I copied and pasted my oink code from the snort website.

  • Getting Snort to send emails of the alerts blocked etc

    3
    0 Votes
    3 Posts
    5k Views
    D

    Here is the solution I found so far :
    Install the mailreport package. Then setup a rule to email (daily email), log extract from system with a following filter criteria : snort[

  • SNORT Exiting on sig 11

    10
    0 Votes
    10 Posts
    6k Views
    T

    Problem again came up.

    Snort is exiting every few minutes on the same fault message.

    Jan 31 12:25:45 SnortStartup[32739]: Snort START for WAN(7152_xn0)... Jan 31 12:25:45 snort[33000]: Could not read appName. Line Snort Differs AppKey paltalkfiletransfer -> paltalkfiletran Jan 31 12:25:57 kernel: xn0: promiscuous mode enabled Jan 31 12:29:23 kernel: pid 43186 (snort), uid 0: exited on signal 11 Jan 31 12:29:23 kernel: xn0: promiscuous mode disabled

    I'm so fed up, worked for a few days without any problem and now the same sh… again.  :-X

  • New Snort Install Local Network Coverage

    1
    0 Votes
    1 Posts
    620 Views
    No one has replied
  • Snort - need to sync the <rule_sid_off>between systems</rule_sid_off>

    10
    0 Votes
    10 Posts
    2k Views
    C

    @ajrg:

    @ConfusedUser: Have you opened a bounty thread for this? I'll match your 100 USD bounty, if one exists.

    No, I didn't start a bounty thread. But I guess Bill knows my offer won't be an empty promise…

    Bill,
    Do you want me to open a bounty thread for this feature request?

  • Suricata 3.0

    2
    0 Votes
    2 Posts
    1k Views
    bmeeksB

    Suricata 3.0 is the new name for what was formerly called Suricata 2.1-BETA.  It is now in Release Candidate stage (currently on RC3).  There is some information posted about it on the Suricata site, but you have to dig around for the finer details.  Nothing really earth-shattering in terms of new features as compared to the 2.0.x Suricata tree.  The biggest bang in Suricata 3.0 comes from the new support for Netmap.  This allows super high speed packet handling with most major NICs (although Netmap support is network card driver dependent, so not every NIC will support it initially).

    Suricata 3.0 will be in pfSense 2.3.  Work is currently in progress to convert the GUI to the new Bootstrap code used in pfSense 2.3.  Once that work is complete, a Suricata 3.0RC3 package (or whatever the current version is) will be released for pfSense.

    Bill

  • Manual Updates for SNORT

    4
    0 Votes
    4 Posts
    1k Views
    bmeeksB

    No, I don't know if it offers offline updates or not.  You can post in the top-level Packages forum and someone there will chime in.

    Bill

  • Snort auto-update whitelist with dynamic WAN gateway?

    3
    0 Votes
    3 Posts
    767 Views
    E

    Wonderful.  Thank you, Bill. That would be very helpful.

  • New version snort/ suricata?

    4
    0 Votes
    4 Posts
    2k Views
    bmeeksB

    Snort 2.9.8.0 will be along soon.  Working on converting the GUI to Bootstrap, and was trying to get that finished before updating the binary.  If the Bootstrap conversion drags out too long, I can post a Pull Request to update the binary to 2.9.8.0.

    As for Suricata, it too is being converted to Bootstrap.  One of the pfSense developers is helping with (actually he is doing) the work.  He also has other responsibilities, and the Suricata conversion is a bit behind schedule.  I have tested Suricata 3.0RC3 and it works in pfSense.  The goal is to release the updated GUI along with the new Suricata 3.0RC3 binary (or whatever is current at the time).  We are also planning to provide the long-awaited inline IPS mode with Suricata 3.0 using Netmap.  I have tested it and it works.  We just need to modify the GUI a bit to provide the necessary configuration fields.  Suricata will sport two IPS/IDS modes:  (1) legacy mode using libpcap and the custom blocking plugin (what it uses today); and (2) true inline IPS mode using Netmap.

    Bill

  • Snort output to syslog (not what I want)

    4
    0 Votes
    4 Posts
    3k Views
    E

    Ah, very helpful.  Thank you, fragged.

  • Snort: Suppress Source Addresses

    12
    0 Votes
    12 Posts
    4k Views
    RuddimasterR

    Hi Bill,

    many thanks…

    Dirk

  • Snort Rules Configuration - Backup / Duplication?

    4
    0 Votes
    4 Posts
    2k Views
    bmeeksB

    Which file are you editing?  When I directly edit the config, I use the file /conf/config.xml.  I navigate to the file using Diagnostics > Edit File.  It is living dangerously to directly edit the production file, but since mine is a home system I take the risk.  I don't know why your changes are getting overwritten.  I've never had that happen to me.

    I think there are some hoops to jump through if you import or copy in a new config.xml file itself from a remote source.  The contents of the file are saved in a large global memory array.  Perhaps something is triggering a "dump" of the in-memory data back to the file and thus overwriting the changes you just made.

    Bill

  • Snort 2.9.4.1 pkg v.2.5.8

    168
    0 Votes
    168 Posts
    105k Views
    BBcan177B

    @NetDefense:

    OK I did some digging and figured that out. Your post now makes sense to me now that I know what emerging threats is.

    I did notice this post is kind of old and when I take a look at the RBN rules and it appears they are no longer updated. http://doc.emergingthreats.net/bin/view/Main/RussianBusinessNetwork

    The RBN list has been discontinued for awhile now… The only two free lists available from Emerging Threats (now Proofpoint) is ET Compromised and ET Block....  With the ET IQRisk suite (Paid subscription) they have an IPRep list available...

  • Best Way to Bypass Snort for Specific Servers?

    3
    0 Votes
    3 Posts
    3k Views
    ?

    Create an extra DMZ and place the server inside of this then. Set up snort scanning on your LAN port.
    So the Server will have Internet connection and the rest of the LAN will be scanned by snort.
    WAN - NAT and pf
    DMZ - Snort is not scanning
    LAN - snort is scanning

  • Suricate signature issues

    3
    0 Votes
    3 Posts
    4k Views
    T

    Ok great.  THank you Bill.  I can definitely live with that!

  • Suricata offline rules update

    3
    0 Votes
    3 Posts
    2k Views
    J

    thanks for your reply, I already tried that, but it didn´t work out, there are a number of configuration files that need to be updated, but I could not find  which ones and what to write

  • Suricata/Snort and VPN protection

    4
    0 Votes
    4 Posts
    3k Views
    T

    Did it !  :D  Great !
    In effect, I only intend to set up Suricata for the moment.
    Thank you a lot !

  • Https://papertrailapp.com/ or a free cloud syslog for WAN Barnyard2

    5
    0 Votes
    5 Posts
    1k Views
    H

    I tried to put only the adresse and i have change de port from 514 to the pappetrailapp port and I have opened this port in firewall and it doesn't work. I want to try again.

Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.