@bmeeks thank you! I’m embarrassed. That’s hilarious. I really appreciate it!

@bmeeks Thank you so much. That worked perfectly. I saw it failing but falsely assumed that the install would continue, especially when the package screen said it was successful.

Thanks again!

Thanks bmeeks!
This is amazing and super helpful. Great details and examples for this greenhorn. I am grateful for your time and help!

My suggestion is to first subscribe to the Snort Subcriber Rules. They are free for registered users. For free you get new rules only when they are 30 days old or more. For $29.99 USD per year you get access to new rules the instant they are published.

Once the rules are enabled for download, go to the CATEGORIES tab and check the box to use an IPS Policy and choose "Connectivity" in the drop-down. That is an excellent starter set of rules that are not likely to false positive in most networks.

Do not enable blocking yet. Run in alert-only mode (just IDS mode) for several weeks and note the alerts you see on the interface. For 99% of users, you should configure Snort on your LAN interface only.

It is likely you will get a lot of false positive alerts from several of the HTTP_INSPECT preprocessor rules. Search a thread on the forums here with "Snort Master Suppress" in the title and you will find lots of suggestions from other users on which rules are prone to false positives and should usually be disabled or suppressed.

Edit: here is that thread: https://forum.netgate.com/topic/50708/suricata-snort-master-sid-disablesid-conf.

I see you tagged onto another thread here: https://forum.netgate.com/topic/151936/suricata-core-dumping-after-2-4-5-upgrade/15. That thread tells you what the problem likely is and what the only short-term solution is.

Hi @jdeloach,

That would be the problem then. Went back to 2.4.4-RELEASE-p3. With the 2.4.5 I've experience very slow boot of pfsense and the DHCP on the WAN interface didn't work anymore.

Do not know if that makes sense tot you?

Greetz,
Herman F.

Thanks, I understand now.
Here is a screen grab of what my installed packages - attached.3.png

Thanks for the help Bill. I appreciate it.

@serbus said in Snort v3.2.9.10_3 Release Notes (for pfSense-2.4.5 installs only):

Hello!

Not sure, but I think the minutes might need to be padded...

$snort_rules_upd_time = "00:" . str_pad(strval(random_int(0,59)), 2, "00", STR_PAD_LEFT);

John

Oops! You may be right. It didn't show up in my quick testing because the random function returned two-digit minutes for me.

No, that feature is not available. You would have to roll-your-own by creating your own custom Suricata output plugin module and compiling it into the Suricata binary.

@bmeeks

I'm not even going to waste my time on realtek, tomorrow I'm ordering the intel PRO/1000 PT 4-port. Think that's a mighty fine investment.

Also, I just upgraded back to 2.4.5 and the suricata package is back to running. I'm glad I at least reported my problem, and mentioned where I found answers. Often times when looking around the web for issues similar to mine I see the thread die with "nevermind I found a fix". Also, thanks for the quick response, @bmeeks

@bmeeks said in Suricata Rule Update - 404 Error:

@ccb056 said in Suricata Rule Update - 404 Error:

Unfortunately its still not working

I think I will try backing up the pfsense config, and re-staging the firewalls

Thanks for your help Bill

The last thing you could try, short of a full reinstall is this: https://docs.netgate.com/pfsense/en/latest/install/upgrade-troubleshooting.html#forced-pkg-reinstall. This worked for some users in another thread having Suricata issues. However, their problem was a failure to start due to missing libraries.

However, as that link states, a full reinstall from media is usually the best solution. What has happened is the update of the packages prior to update of the base OS left things in a confused state for the pkg utility.

Bill - Perfect ! I ran through the forced pkg reinstall and my issue is now resolved.

Thanks again!

@bmeeks Bill, you're AWESOME!

pkg install -f luajit-openresty-2.1.20190912_2

forced re-install of the package solved the issue. apparently the package was registered as installed while in reality it wasn't

[1/1] Reinstalling luajit-openresty-2.1.20190912_2...
[1/1] Extracting luajit-openresty-2.1.20190912_2: 100%
[2.4.5-RELEASE][root@firewall-2.dotOne.nl]/root: suricata -V
This is Suricata version 5.0.2 RELEASE

This is a very interesting case study, and analysis...thank you all for sharing!