@bmeeks Reinstalled Snort 3.2.9.14.1 with no issues. Thanks Bill for the quick fix to the package.

Some of the things the Smart TV and IoT vendors are doing today with networking is just plain weird! I wonder sometimes if their software developers really and truly understand networking ???

@kiokoman said in Suricata-5.0.3 Package Update -- Release Notes (pfSense-2.5 DEVEL): it will also be added to the README of the plugin https://github.com/influxdata/telegraf/issues/7843

@wolfsden3 said in Snort borked again! Barnyard2!: @bmeeks said in Snort borked again! Barnyard2!: mysql57-client-5.7.30_1 I mended it! LOL pkg install -f mysql57-client-5.7.30_1 Updating pfSense-core repository catalogue... pfSense-core repository is up to date. Updating pfSense repository catalogue... pfSense repository is up to date. All repositories are up to date. Checking integrity... done (0 conflicting) The following 1 package(s) will be affected (of 0 checked): Installed packages to be REINSTALLED: mysql57-client-5.7.30_1 [pfSense] Number of packages to be reinstalled: 1 Proceed with this action? [y/N]: y [1/1] Reinstalling mysql57-client-5.7.30_1... [1/1] Extracting mysql57-client-5.7.30_1: 100% I just reinstalled the client and got lucky. It fired right up after doing that. Hopes this helps someone else too! Glad that fixed it for you, but as you said -- "you got lucky". Your system is broken someplace or it would not have thrown that error. You may continue to have difficulties with packge updates in the future if your pkg database is somehow corrupt.

@jpgpi250 said in exclude (disable) ET DNS Query...: @bmeeks Thank you for your time, effort and very extensive answer. For some reason, step 2 (RULES tab) appears to be unnecessary, after I executed step one, I checked the RULES tab entries, they were already marked as 'user disabled'. The script, that runs overnight, and caused the alerts, did no longer cause any alerts, so the method explained above, has been successfully implemented. Thanks again. I think you misunderstood my reply. I was showing you that there are three different ways to accomplish disabling that rule. Any single one of the three is all you need to do.

@pet1975 said in suricata fail to launch after update: i just pm you regarding and email :-) Imported your configuration into my test virtual machine and then installed the Suricata package. It failed to complete installation with the current package version posted in the pfSense packages repository (Suricata v5.0.2_3). It failed the same as it has with you previously. Nothing shows under the SERVICES menu for Suricata after the package installation. However, installing the latest Suricata package version that I am currently testing was successful. That package version is 5.0.3, and it will be available soon for the pfSense-2.5 DEVEL branch and then a bit later for the pfSense-2.4.5 RELEASE branch. Even better news is I found what the root problem is, and it is what I had suspected. If you have the option on the GLOBAL SETTINGS tab checked to enable download of the GeoLite2 database, but your MaxMind database license key is invalid, that download will fail. The current PHP script, when detecting that failure performs an exit() call instead of a return() call. Calling exit() in PHP terminates the currently running script. That is in turn prematurely terminating the Suricata package installation PHP script so that the remainder of the installation (putting the entry under the SERVICES menu) fails to complete. Here is the error from the system log -- (I changed the order to show the recent event first, so read the entries from the bottom up for the chronological sequence) Jul 11 11:37:55 php 92290 [Suricata] ERROR: GeoLite2-Country IP database update check failed. The GeoIP database was not updated! Jul 11 11:37:55 php 92290 [Suricata] ALERT: The Account ID or License Key for MaxMind GeoLite2 is invalid. Jul 11 11:37:54 php 92290 [Suricata] Checking for updated MaxMind GeoLite2 IP database file... So the root cause of your issue is that your MaxMind GeoLite2 database download license key is invalid. If you fix this, then your Suricata installation will complete even with the current version. To fix this, go to this URL: https://myfirewall_ip/suricata/suricata_global.php. Replace "myfirewall_ip" with the correct value. Once on the tab, scroll down to this area -- [image: 1594482685703-suricata_geolite2_settings.png] If you do not want to use GeoIP rules with Suricata, then uncheck the box for GeoLite2 DB Update. If you do want to use GeoIP rules, then you will need to enter a valid license key. The current key you will see listed is not valid. In the screenshot above, I deliberately obfuscated your key for privacy. Save the changes you make on this screen and then run the remove and reinstall Suricata sequence again. It should complete successfully and show up under the SERVICES menu. In the upcoming 5.0.3 Suricata version I have changed the GeoLite2 database install code so that a failure to download the database does not terminate the rest of the installation script.

@Cool_Corona said in Bring pfsense/suricata to its knees and eventually die?? No reboot options/recovery available?: @bmeeks How to make the system aware of loader.conf.local?? AFAIK its using loader.conf and there is no such file in the folder?? Do I need to create and point loader.conf.local somewhere? I see @DaddyGo has already provided an answer, but I will add to it. It is common practice on many Unix-type distros to use a *.local version of a configuration file. The OS will look for such a file, and if it sees it in the same place as the system version of that file (for example, in /boot/), then it will append the contents of the *.local file onto the content in the parent file (the one without ".local" on the end). The purpose of *.local files is to allow user customizations to be added that survive operating system upgrades. During an upgrade, the regular loader.conf file will get overwritten by a new version. But a loader.conf.local file will not get overwritten. It is up to the user to create the *.local file when such a feature is needed.

Snort and Suricata both use the rules.emergingthreats.net and rules.emergingthreatspro.com URLs for downloading ET rules, so there should be no impact. They are not using any hard-coded IP addresses. However, users running other packages with large IP blocklists (in particular pfBlockerNG or pfBlockerNG-devel) will need to scour the IP lists being used by that package to be sure the AWS infrastructure IP ranges that get assigned to Emerging Threats are not on a block list. Some of those lists can be overly broad at times and block legitimate traffic.

I was a little to hasty. Errors coming again... Despite changing the dev.netmap.buf_size="16384" Output of sysctl -a | grep netmap still looks the same and no change to any values. Its like its hardcoded and cant be changed?? device netmap dev.netmap.ixl_rx_miss_bufs: 0 dev.netmap.ixl_rx_miss: 0 dev.netmap.iflib_rx_miss_bufs: 0 dev.netmap.iflib_rx_miss: 0 dev.netmap.iflib_crcstrip: 1 dev.netmap.bridge_batch: 1024 dev.netmap.default_pipes: 0 dev.netmap.priv_buf_num: 4098 dev.netmap.priv_buf_size: 2048 dev.netmap.buf_curr_num: 163840 dev.netmap.buf_num: 163840 dev.netmap.buf_curr_size: 2048 dev.netmap.buf_size: 2048 dev.netmap.priv_ring_num: 4 dev.netmap.priv_ring_size: 20480 dev.netmap.ring_curr_num: 200 dev.netmap.ring_num: 200 dev.netmap.ring_curr_size: 36864 dev.netmap.ring_size: 36864 dev.netmap.priv_if_num: 2 dev.netmap.priv_if_size: 1024 dev.netmap.if_curr_num: 100 dev.netmap.if_num: 100 dev.netmap.if_curr_size: 1024 dev.netmap.if_size: 1024 dev.netmap.ptnet_vnet_hdr: 1 dev.netmap.generic_rings: 1 dev.netmap.generic_ringsize: 1024 dev.netmap.generic_mit: 100000 dev.netmap.generic_hwcsum: 0 dev.netmap.admode: 0 dev.netmap.fwd: 0 dev.netmap.txsync_retry: 2 dev.netmap.mitigate: 1 dev.netmap.no_pendintr: 1 dev.netmap.no_timestamp: 0 dev.netmap.verbose: 0 dev.netmap.ix_rx_miss_bufs: 0 dev.netmap.ix_rx_miss: 0 dev.netmap.ix_crcstrip: 0

Thanks @bmeeks Yes I am seeing many of those IKE alerts consistently, including from my son's iPhone :( ! Thank you for the explanation around CNAT, had no idea. None of the IPs in the snippet above contain my WAN IP. Makes total sense re the noise caught when Suricata is applied to the WAN interface, clearly shows my ISP isn't doing a terribly clean job, but hey they're cheap so I can't complain :)

The next update to the Suricata 5.x package on pfSense will contain a new option for configuring Suricata to export performance stats over a Unix socket to Telegraf. It will support the input.suricata plugin. Suricata can produce EVE JSON logs, and that data can be either written to a conventional text file or it can be made available to a Unix socket. So if someone produces a log data parser for EVE JSON, then Suricata can easily be adapted to feed data over the Unix socket. I am not familiar with Telegraf since I've never used it. So I don't know what it is capable of in terms of digesting Suricata's EVE JSON logs. The new feature I mentioned came from a Redmine Feature Request submitted a while back. And that request was specifically for Suricata performance stats (things like packets processed, packets dropped due to load, etc.).

@bmeeks said in Suricata Menu Missing Help!: downloaded during the install process, but ONLY if that option was enabled on the GLOBAL SETTINGS tab and there is a non-null value in the MaxMin Did everything you recommended and reinstalled Suricata and what do you know it appeared on the menu. Jeez, seems like some sort of bug that needs fixed so a noob doesnt have to spend awhile trying to fix it. I also upped the tcp memcap, but damn i have it all the way up to 299108864 and it finally started error free. The box only has 128mb of memory. After going through all that for some reason i ahve my box configured as a Raid 5 box with 4 - 4tb drives in it and im only seeing 1.9T free on the box, seems a little low for 8tb installed, i know the overhead with Raid 5 system but does freebsd utilize a lot more then i am aware of? I know i might never use all the space in it, just how the box came configured and it was cheaper then any applicance out there since i bought it used but i would think i should see a little more then 1.9TB out of the drive system, and everything is mounted on / i just did the recommended install when i set the box up maybe ill just leave it be since it seems to be running great now. Now to dive into snort configuration since i have signed up for a free key just to start and configuring all my VLANs etc.. Me being a checkpoint firewall guy this seems just a robust as checkpoint ever did and cant beat the price.. Thanks a ton for your help, everything worked out great. Chris

@kvamsi-k143 said in Suricata does not start?: @bmeeks Thanks for your time in helping me on this. There are two issues on my pfSense box. 1) ET not updating and 2) Suricata services not running on the interfaces. BTW, I did update pfSense before Suricata, I am aware of the catch. I did check the other thread while investigating. That is when I found issue with "libluajit-5.1.so.2" not found, required by "suricata". Post your suggestion, I took time to flash the pfSense from scratch after taking a backup of the config. Thanks to the documentation. All was up and running in just a couple of hours, including installation of all packages. I am overwhelmed with your response. Kudos to you..!! Owe one for you mate...!!! Glad you got it sorted out. Something was definitely out of whack with the shared libraries, and that was preventing the start of Suricata. Don't really see how that would have impacted the failure to download the ET Open rules, though.

@slu said in pfSense-pkg-snort from 3.2.9.11 to 3.2.9.12. | Unable to open the IIS Unicode Map file: Last update (pfSense-pkg-snort from 3.2.9.12 to 3.2.9.13.) was with no issue, thank you very much. Good news! Thank you for the feedback.

@bmeeks said in Snort Update Changelog: The latest update was made by a member of the pfSense developer team to tweak the way VPN addresses are pulled into automatic Pass Lists. I will post up a note. Big THANX!

If you don't want to see the alert, then disable that rule. Click the red X under the GID:SID column and that rule will be disabled. If you want to figure out why the alerts suddenly started showing up, then you need to examine any changes to your network environment such as a new device being added or someone downloading and installing a new or updated piece of software. As the alert message states, this alert is coming from multicast traffic from some device on your network.