Whatever log file you are trying to open and view has now grown too large. There is a finite system limit on RAM that is allocated to a PHP process. I believe that limit is current 512 MB.

You will need to view that log using a tool outside of the Suricata GUI so that PHP is bypassed.

You also need to verify that automatic log managment is enabled on the LOGS MGMT tab and that you have not configured any large log filesize limits.

@meocon At the console you can restore an earlier config:
https://docs.netgate.com/pfsense/en/latest/backup/restore.html#console-configuration-history

I doubt negation is what you want. That means every other port EXCEPT 1521 would be considered an Oracle Port. Negation literally means "not 1521, so it is an Oracle Port". Usually that broad of a range is not desired.

In your case, create a pfSense firewall alias containing the needed port or ports, and assign it to the ORACLE_PORTS variable on the VARS tab.

@michmoor said in Snort security issue bug within TCP/UDP scan detection blocking tool:

@bmeeks what do the multiple preprocessors do?

http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node17.html.

https://www.informit.com/articles/article.aspx?p=101148&seqNum=2.

https://www.oreilly.com/library/view/snort-cookbook/0596007914/ch04.html.

https://www.google.com/search?q=snort+preprocessors.

Did you have any other Rule Categories selected on the CATEGORIES tab when you chose the IPS Policy?

The logic on that tab allows you to also choose any other enabled rules archives you have enabled such as Emerging Threats. I think it will also allow you to select OpenAppID rules. When you choose an IPS Policy, only additional Snort VRT rule categories are grayed-out.

I can test again in the event the number of published Snort rules has grown considerably, but I believe it will successfully load up the Max Detect policy rules so long as no other categories are enabled at the same time. It could be the combination of the policy selected rules added to say Emerging Threats rules that pushes it over the limit.

By the way, there is a Feature Request that has just been merged into the 2.8 CE snapshots branch (and Plus 23.09) to allow user selection of the PHP process memory limit. That Redmine request is here: https://redmine.pfsense.org/issues/13377. It will allow the admin to override the default PHP memory limit and increase it up to the limit of free RAM.

Just to be sure you understand, Snort IPS Policies are created and published by the Snort developer team. They work by using special embedded metadata in the Snort VRT rules that assigns a given rule to one or more IPS policies. This metadata is not present in Emerging Threats nor any other rules package. The PHP code reads this metadata tag from Snort VRT rules and uses it to "pick" the rules to automatically enable for a chosen policy. Because the chosen IPS Policy is what selects the rules to enable, the Snort VRT rule categories are automatically grayed-out when a policy is selected.

@bmeeks thanks for point me to right direction!

@Bob-Dig It was an example of how it could been done.

Something is wrong with the alerts.log file for that interface. There should never be a NULL value in that file. It is impossible to have an alert line generated in that file without a corresponding timestamp entry for that alert. The file has gotten corrupted.

You will need to delete that corrupt file. A reinstall will not fix the issue unless you check the option to remove all logs when uninstalling/reinstalling.

Hi @bmeeks !!

Thank you for the comment, I have a better understanding on how snort works on pfSense.

I could review a bit my traffic and I have my stuff to work perfectly now :)

Thanks for all your reply 👍

@bmeeks
Thanks for the tips,
I disabled the Wan Snort interface and added a suppress by src for that preprocessor rule. I appreciate your help.

@bmeeks I think that worked. Thanks much

@bmeeks Hey, thanks for responding! As far as the rules go, both interfaces are the exact opposite. On the LAN side, I only have the "Snort OPENAPPID Rules" enabled with no blocking. The WAN side has pretty much all of the other rulesets enabled for IPS. So no common rules between them. I will start looking on the log you suggested. I will probably switch back to Suricata with all of the other discussions you've had on Snort's short lifespan on 2.9, but I really do like seeing the L7 traffic coming out of my UDM-SE. Thanks again.

EDIT: It's strange that the LAN rules in question haven't even been updated since this started happening. Also, it starts right back up when I start it again manually. I will dig though the system log when I get back in town. Thanks.

96d3c7be-c9cb-4ac1-8048-5326c1bc0be5-image.png

I got it all sorted out. Had to restart the interface three times but no inter-vlan traffic will be blocked. I tested this running a nmap scan between networks not in the PassList.

Setting to 'none' is the best option per the maintainer's notes but i just need a bit of flexibility.

@giyahban said in Netmap (Suricata) cause crash:

didnt know its not recommended to have vlan with inline mode.

Inline IPS Mode has some limitations. The biggest is that VLANs and other virtual interfaces are not currently well supported. Things like a Bridge or LAGG setup will not work well. VLANs are especially problematic. There is some work happening within FreeBSD's netmap code to make things better, but none of those experimental updates are present in the pfSense kernel yet.

If you want to use Inline IPS Mode, you should only deploy it on plain-vanilla Ethernet interfaces (meaning no VLANs defined and not a member of a LAGG or Bridge). You may get by with running Suricata on the physical parent interface only and NOT on each defined VLAN interface.

Thank you everyone

The community rules are back: https://www.snort.org/downloads#rules

8605de56-d4d6-4bcf-96c9-7f5c69e34db9-image.png

69f04bea-f17a-43e5-806d-659d0ca1d198-image.png

@bmeeks Thank you. Yes, I did actually try attaching Suricata to the parent, but it still caused problems. I'll have a play with legacy mode and see how that works.

Thank you.