@coyote1abe said in Need to know if I am being spoofed or hacked:
@bmeeks
Thanks for your response. I do worry because as soon as the file was requested there this notification "spo_pf -> Firewall interface IP address change notification monitoring thread started.". why would the system behave like this? What change is going on? Really appreciate your help.
Those messages are completely normal. Snort automatically loads all the firewall interface IPs into a default in-memory Pass List. So that is what you see being loaded there. Those will be the interface IP addresses (IPv4, IPv6 and loopback) defined on your firewall. <spo_pf> is the name of the custom blocking module I wrote for Snort on pfSense.
A thread is started by that module to monitor the firewall interface IPs in case one changes. Realistically, the only one that usually changes is the WAN IP, but it monitors them all just in case.