You most likely have a required preprocessor disabled.  Make sure the STREAM5 preprocessor is enabled on the PREPROCESSORS tab.  In fact, users should really never disable any of the default-enabled preprocessors unless they are very highly skilled with the operation of Snort.

Bill

Got the package updated during 2.2.4 upgrade. Works great.  8)

@digdug3:

Yes, you are right, according to the thread they added it to Suricata 2.0 and in the unified2 chain.
Can you explain where the current Suricata package is getting its blocking ip's from?
Then I'll try to figure it out.

From the alert-fast log chain.  The blocking plugin is in the Suricata output chain.  It may be that some additional information is buried in the Packet structure passed to the blocking plugin, but I have not investigated it that deeply yet.

Bill

Also, lot of those unsupported rules should work with suricata 2.1.

@Abhishek:

google /youtube is getting blocked i whitelisted 1 ip in passthrough  i guess i need to find source rule which is blocking it and remove it since google uses lot of ip range and whitelisting entire range is imposible

Correct.  Identify the blocking rule on the ALERTS tab and then click the red X beside the SID to automatically disable that rule for the interface.

Bill

@foresthus:

Hi there,

…

Please give this hint.

It should be the variable "VRT_DNLD_URL" (snort_defs.inc or snort.inc or snort_check_for_rule_updates.php) which must to be changed. But what ist the new url?

thnx a lot.
;)

The Snort VRT has removed the rules tarball for Snort versions older than 2.9.7.2, so there is no URL to give you for the 2.9.7.0 version.  With Snort, the version of the binary and the version of the rules tarball must match.  A check is done by the binary to be sure they match up.  This is not a pfSense problem, but is a decision of the Snort team.

You need to upgrade your pfSense to a 2.2.x version and then update Snort to version 2.9.7.3.  By the way, version 2.9.7.5 of Snort was just released.  I will be submitting an update for the pfSense package in the near future.

Bill

@bmeeks this is working great and I can see now where the vulnerable client is.  Thank you.

I honestly don't think the Snort package is at issue here.  If it was, then I would expect many complaints here of similar nature.  My personal experience is that you do generally want to avoid the period around midnight U.S. Eastern Time.  I would frequently encounter errors then on the nightly downloads.  I moved the update time to 0130 Eastern and no more issues.  I suspected the VRT folks had some kind of server maintenance task running at midnight, but that was just a guess.

Since you have problems even with manual downloads, I would look at other basic connectivity problems somewhere.  Is there anything else in the chain like a proxy (Squid perhaps?), another upstream firewall, etc.?

Bill

Thanks man! Greatly appreciated!

@MilesDeep:

Thanks.  That's easy enough.  Will all the conf files remain intact?

Yes, Snort and Suricata upgrades use the existing configuration stored in the config.xml file on the firewall.  The actual snort.conf (or suricata.yaml) conf file for the binary is regenerated each time the binary is started.

Bill

@fsansfil:

With everything going HTTPS these days a Bluecoat or squid with i-cap and sslbump is better for web filtering than an IPS.

You might be better suited with a proxy.

"So i am NOT complaining!"

No harm, no offense; Its just me after working 12hrs in a row, doing suricata rules ;)

F.

I have the i-cap/clam anti-virus enabled in my squid3 config

2.1.5 is dead. Move on. No fixes will ever appear there.

As noted above - try without sync. (Hopefully gone everywhere again with 2.2.4.)

Disable the broken rule. And while at it, disable 1:2015526, same idiocy.

Using the ADVANCED PASS-THROUGH option would be the mechanism for using that config directive.  You will find that on the INTERFACE SETTINGS tab for the specific interface.

Bill

Swapping cables would be one thing to try.  It is possible that the libpcap library and the USB NIC don't play well together.

Bill

Well, the way to mass-disable rules is called SIG Mgmt.

Someone's pinging you… Some rules categories are just horrible idea to enable; icmp_info definitely among them.

Okey dokey, thanks for the clarification :)