• snort 3.2.9.11 barnyard 2 - hog cpu when database down

    3
    0 Votes
    3 Posts
    341 Views
    M

    Yes i know, but i was so happy to see barnyard2 working with the database (it has problem with schema and it was too hard for me to fix, but an ipk update solve that recently in the last pfsense ;) .. so i can enjoy stats for snort in "snorby" (another end of life product...).

    I look for other program to replace but they need a large amount of ram ... telegraf to elastic search / grafana / kibana ... i must use another computer just for that (maybe a raspberry i don't know ... something with few energy consomption).

    so im stuck with my olds monitoring tools for now ;) until you remove barnyard from pfsense.

    anyways thanks for your answer bmeeks ! have nice day !

  • Suricata 5.0.2_2 update breaks routing

    7
    0 Votes
    7 Posts
    635 Views
    P

    Thanks for the update. Live rule swap is already on. I do have pfBlocker and Suricata so that might very well be it.

  • Snort on Pfsense 2.4.4

    5
    0 Votes
    5 Posts
    605 Views
    C

    @bmeeks Thank you very much, i will take off some lists and check what happens

  • Suricata - Don't record local traffic

    5
    0 Votes
    5 Posts
    611 Views
    S

    Got you.
    Thanks!

  • 0 Votes
    36 Posts
    5k Views
    bmeeksB

    @cpom1 said in Snort fills up disk with logs, Dashboard goes bye bye, interfaces lose their minds:

    Just wanted to report that it looks like things are working now. Thanks for the help!

    Great! Turns out there was an issue in the log purging code after all. I had just not ever hit it because my logging "rate" is low and my system was not generating as many logs. Also, I do not run OpenAppID and thus my personal system was not generating any of those logs at all.

    Thanks for reporting the issue.

  • Snort is showing IPs that I don't own

    7
    0 Votes
    7 Posts
    744 Views
    NogBadTheBadN

    Are these guys your ISP ?

    AS details for 80.24.39.249 :-

    route: 80.24.0.0/16
    descr: RIMA (Red IP Multi Acceso)
    origin: AS3352
    mnt-by: MAINT-AS3352
    created: 2005-07-21T12:32:14Z
    last-modified: 2009-08-19T06:59:24Z
    source: RIPE
    remarks: ****************************
    remarks: * THIS OBJECT IS MODIFIED
    remarks: * Please note that all data that is generally regarded as personal
    remarks: * data has been removed from this object.
    remarks: * To view the original object, please query the RIPE Database at:
    remarks: * http://www.ripe.net/whois
    remarks: ****************************

    Monday, 27 April 2020 at 15:26:06 British Summer Time

  • Suricata wont Start after updating pfSense to 2.4.5-RELEASE

    15
    0 Votes
    15 Posts
    1k Views
    bmeeksB

    @genuine said in Suricata wont Start after updating pfSense to 2.4.5-RELEASE:

    sorry for the short explication
    well after upgrading pfsense 2.4.5 he did also upgraded suricata with was not starting anymore.
    so I did a clean uninstall and removed also the settings and did a reinstall
    it was not starting I was looking in the log and there was a packet missing I think it was libluajit I'm not sure
    so I installed the lib and suricata was starting up configured as inline mode
    the error appear with drops and rejects
    for the firewall it is configured as normal nothing exotic also not in bridge mode everything was working before the upgrade
    without problems.
    if i have a hodge-podge of library versions how can i check and fixed this

    You very likely have a mixture of FreeBSD 11.2 and FreeBSD 11.3 libraries as a result of how you updated. That missing libjuit package is one example. I suspect your libdnet package might also be the wrong version and hence you are getting your current Suricata error. From your symptoms, I'm going to guess you were on pfSense 2.4.4 and saw an update for Suricata posted. But that Suricata update was for the 2.4.5 version of pfSense and has new shared library versions/dependencies that can only be satisfied when pfSense-2.4.5 is already installed. You installed the new Suricata onto a pfSense-2.4.4 system and it would not start (that missing libjuit package is a classic symptom of this upgrade path). So then you updated to pfSense-2.4.5, but that still will not properly update all of the dependent libraries that third-party packages might use. So now you are experiencing weird errors because of the library problems.

    I would recommend you do this. You should reinstall pfSense itself from a clean install and then put your packages back. That will guarantee that you get the correct versions of all the supporting libraries.

    If you don't want to perform a complete reinstall of pfSense, then try this series of commands to refresh the pkg database.

    pkg-static clean -ay; pkg-static install -fy pkg pfSense-repo pfSense-upgrade

    The commands above came from this link in the pfSense documentation: https://docs.netgate.com/pfsense/en/latest/install/upgrade-troubleshooting.html.

    And next time you see a pfSense version upgrade notice on the Dashboard, DO NOT update any packages until AFTER you have upgraded pfSense to the new version!

  • How do I disable snort2c firewall blocks

    10
    0 Votes
    10 Posts
    10k Views
    bmeeksB

    @everfree said in How do I disable snort2c firewall blocks:

    @bmeeks ☺ I update to 2.5.0 - Dev, I think If snort2c functions similar to pfblocker NG suppression, that is good. 😁

    Yes, both packages use the pfctl utility to interact with pf tables. And the pfctl utility is showcasing some sort of issue that is present in FreeBSD 11.3/STABLE. The pfSense team is looking into it.

  • Snort Package v4.1 - Release Notes (for pfSense-2.5 DEVEL)

    1
    0 Votes
    1 Posts
    155 Views
    No one has replied
  • Snort Package v3.2.9.11 - Release Notes (for pfSense-2.4.5 RELEASE)

    1
    0 Votes
    1 Posts
    139 Views
    No one has replied
  • Snort 3 on Pfsense using snortrules-snapshot-29120

    3
    0 Votes
    3 Posts
    633 Views
  • Suricata inline and limiters

    3
    0 Votes
    3 Posts
    435 Views
    ?

    @bmeeks Thanks Bill. A better cable modem will reduce my buffer bloat issue ;)

    Be well!

  • Managing stream5: TCP session without 3-way handshake Events

    2
    0 Votes
    2 Posts
    823 Views
    bmeeksB

    Are you running the Snort package on pfSense? If so, you should never edit the snort.conf file directly because it is overwritten each time Snort is stopped and restarted in the GUI. There is an option checkbox within the package GUI on pfSense for enabling that require_3whs parameter on specific host targets.

    From the screenshot you posted. and the fact your mention editing the snort.conf file directly, it appears like you are not using the pfSense Snort package.

    If you are not running on the pfSense firewall distro, please note this forum is only for support of the Snort and Suricata packages available for pfSense. Apparently Google or some search engine has been sending a few folks here of late that are actually running an IDS/IPS on some other platforms such as Linux.

    The feature you mentioned, "require_3whs", is a target-based option within the Stream5 configuration. The official Snort binary manual that describes this is here: http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node17.html.

  • ET Pro Telemetry Edition for pfSense?

    3
    0 Votes
    3 Posts
    1k Views
    G

    OK, thanks. I'll guess I'll stick with my personal Snort license for $30/year.

  • Suricata & Iptables on Debian 9

    4
    0 Votes
    4 Posts
    575 Views
    nurchalizaaaN

    @bmeeks thank you, I misunderstood and thought this forum was a forum for Suricata users.
    Now the problem solved.

  • 0 Votes
    3 Posts
    884 Views
    G

    I highly recommend a personal subscription to the Snort personal subscription as they're only US$30/year. However, I would also be wary of turning on too many rules at once as it can make a noticeable hit to your throughput speed as well as increased resource usage on your pfSense system.

  • Suppression list for Webservers - Snort

    3
    0 Votes
    3 Posts
    927 Views
    L

    Thanks mate

  • 0 Votes
    3 Posts
    414 Views
    bmeeksB

    Your human brain has to research the alerts, look at the underlying rules and their logic, examine your network topology and client make-up (types of OS, for example) and then use your noodle to figure out if a given alert is likely a false positive. As user @jdeloach stated, Google will be your friend in this endeavor.

    How do you think the system is going to figure out and flag a false positive for you? If it was smart enough to do that, it would be smart enough to not false positive in the first place ... ☺.

  • Suricata core dumping after 2.4.5 upgrade

    27
    0 Votes
    27 Posts
    2k Views
    S

    @bmeeks
    That all makes sense. I missed the entries in the system log:
    Apr 9 15:31:09 pfSense kernel: pid 51904 (suricata), jid 0, uid 0: exited on signal 4 (core dumped)

    Seeing "Illegal Instruction" printed to the terminal is what led me to this thread. In the end my SG-100 is back up and running and the problem has been identified. I will keep an eye out for a Suricata update. Thank you for the support.

    *** UPDATE ***
    For anyone that stumbles upon this thread, the issue has been corrected with pfSense 2.4.5-p1 released June 9, 2020. See the release notes: https://docs.netgate.com/pfsense/en/latest/releases/2-4-5-p1-new-features-and-changes.html

    Great work!

  • Suricata doesn't work the rules

    3
    0 Votes
    3 Posts
    422 Views
    H

    Ok. Thanks man ;)

Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.