Yes i know, but i was so happy to see barnyard2 working with the database (it has problem with schema and it was too hard for me to fix, but an ipk update solve that recently in the last pfsense ;) .. so i can enjoy stats for snort in "snorby" (another end of life product...).

I look for other program to replace but they need a large amount of ram ... telegraf to elastic search / grafana / kibana ... i must use another computer just for that (maybe a raspberry i don't know ... something with few energy consomption).

so im stuck with my olds monitoring tools for now ;) until you remove barnyard from pfsense.

anyways thanks for your answer bmeeks ! have nice day !

Thanks for the update. Live rule swap is already on. I do have pfBlocker and Suricata so that might very well be it.

@bmeeks Thank you very much, i will take off some lists and check what happens

Got you.
Thanks!

@cpom1 said in Snort fills up disk with logs, Dashboard goes bye bye, interfaces lose their minds:

Just wanted to report that it looks like things are working now. Thanks for the help!

Great! Turns out there was an issue in the log purging code after all. I had just not ever hit it because my logging "rate" is low and my system was not generating as many logs. Also, I do not run OpenAppID and thus my personal system was not generating any of those logs at all.

Thanks for reporting the issue.

Are these guys your ISP ?

AS details for 80.24.39.249 :-

route: 80.24.0.0/16
descr: RIMA (Red IP Multi Acceso)
origin: AS3352
mnt-by: MAINT-AS3352
created: 2005-07-21T12:32:14Z
last-modified: 2009-08-19T06:59:24Z
source: RIPE
remarks: ****************************
remarks: * THIS OBJECT IS MODIFIED
remarks: * Please note that all data that is generally regarded as personal
remarks: * data has been removed from this object.
remarks: * To view the original object, please query the RIPE Database at:
remarks: * http://www.ripe.net/whois
remarks: ****************************

Monday, 27 April 2020 at 15:26:06 British Summer Time

@genuine said in Suricata wont Start after updating pfSense to 2.4.5-RELEASE:

sorry for the short explication
well after upgrading pfsense 2.4.5 he did also upgraded suricata with was not starting anymore.
so I did a clean uninstall and removed also the settings and did a reinstall
it was not starting I was looking in the log and there was a packet missing I think it was libluajit I'm not sure
so I installed the lib and suricata was starting up configured as inline mode
the error appear with drops and rejects
for the firewall it is configured as normal nothing exotic also not in bridge mode everything was working before the upgrade
without problems.
if i have a hodge-podge of library versions how can i check and fixed this

You very likely have a mixture of FreeBSD 11.2 and FreeBSD 11.3 libraries as a result of how you updated. That missing libjuit package is one example. I suspect your libdnet package might also be the wrong version and hence you are getting your current Suricata error. From your symptoms, I'm going to guess you were on pfSense 2.4.4 and saw an update for Suricata posted. But that Suricata update was for the 2.4.5 version of pfSense and has new shared library versions/dependencies that can only be satisfied when pfSense-2.4.5 is already installed. You installed the new Suricata onto a pfSense-2.4.4 system and it would not start (that missing libjuit package is a classic symptom of this upgrade path). So then you updated to pfSense-2.4.5, but that still will not properly update all of the dependent libraries that third-party packages might use. So now you are experiencing weird errors because of the library problems.

I would recommend you do this. You should reinstall pfSense itself from a clean install and then put your packages back. That will guarantee that you get the correct versions of all the supporting libraries.

If you don't want to perform a complete reinstall of pfSense, then try this series of commands to refresh the pkg database.

pkg-static clean -ay; pkg-static install -fy pkg pfSense-repo pfSense-upgrade

The commands above came from this link in the pfSense documentation: https://docs.netgate.com/pfsense/en/latest/install/upgrade-troubleshooting.html.

And next time you see a pfSense version upgrade notice on the Dashboard, DO NOT update any packages until AFTER you have upgraded pfSense to the new version!

@everfree said in How do I disable snort2c firewall blocks:

@bmeeks ☺ I update to 2.5.0 - Dev, I think If snort2c functions similar to pfblocker NG suppression, that is good. 😁

Yes, both packages use the pfctl utility to interact with pf tables. And the pfctl utility is showcasing some sort of issue that is present in FreeBSD 11.3/STABLE. The pfSense team is looking into it.

@bmeeks said in Snort 3 on Pfsense using snortrules-snapshot-29120:

you

Many thanks.. got it

@bmeeks Thanks Bill. A better cable modem will reduce my buffer bloat issue ;)

Be well!

Are you running the Snort package on pfSense? If so, you should never edit the snort.conf file directly because it is overwritten each time Snort is stopped and restarted in the GUI. There is an option checkbox within the package GUI on pfSense for enabling that require_3whs parameter on specific host targets.

From the screenshot you posted. and the fact your mention editing the snort.conf file directly, it appears like you are not using the pfSense Snort package.

If you are not running on the pfSense firewall distro, please note this forum is only for support of the Snort and Suricata packages available for pfSense. Apparently Google or some search engine has been sending a few folks here of late that are actually running an IDS/IPS on some other platforms such as Linux.

The feature you mentioned, "require_3whs", is a target-based option within the Stream5 configuration. The official Snort binary manual that describes this is here: http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node17.html.

OK, thanks. I'll guess I'll stick with my personal Snort license for $30/year.

@bmeeks thank you, I misunderstood and thought this forum was a forum for Suricata users.
Now the problem solved.

I highly recommend a personal subscription to the Snort personal subscription as they're only US$30/year. However, I would also be wary of turning on too many rules at once as it can make a noticeable hit to your throughput speed as well as increased resource usage on your pfSense system.

Thanks mate

Your human brain has to research the alerts, look at the underlying rules and their logic, examine your network topology and client make-up (types of OS, for example) and then use your noodle to figure out if a given alert is likely a false positive. As user @jdeloach stated, Google will be your friend in this endeavor.

How do you think the system is going to figure out and flag a false positive for you? If it was smart enough to do that, it would be smart enough to not false positive in the first place ... ☺.

@bmeeks
That all makes sense. I missed the entries in the system log:
Apr 9 15:31:09 pfSense kernel: pid 51904 (suricata), jid 0, uid 0: exited on signal 4 (core dumped)

Seeing "Illegal Instruction" printed to the terminal is what led me to this thread. In the end my SG-100 is back up and running and the problem has been identified. I will keep an eye out for a Suricata update. Thank you for the support.

*** UPDATE ***
For anyone that stumbles upon this thread, the issue has been corrected with pfSense 2.4.5-p1 released June 9, 2020. See the release notes: https://docs.netgate.com/pfsense/en/latest/releases/2-4-5-p1-new-features-and-changes.html

Great work!

Ok. Thanks man ;)