@bmeeks said in Snort 3 on Pfsense using snortrules-snapshot-29120: you Many thanks.. got it

@bmeeks Thanks Bill. A better cable modem will reduce my buffer bloat issue ;) Be well!

Are you running the Snort package on pfSense? If so, you should never edit the snort.conf file directly because it is overwritten each time Snort is stopped and restarted in the GUI. There is an option checkbox within the package GUI on pfSense for enabling that require_3whs parameter on specific host targets. From the screenshot you posted. and the fact your mention editing the snort.conf file directly, it appears like you are not using the pfSense Snort package. If you are not running on the pfSense firewall distro, please note this forum is only for support of the Snort and Suricata packages available for pfSense. Apparently Google or some search engine has been sending a few folks here of late that are actually running an IDS/IPS on some other platforms such as Linux. The feature you mentioned, "require_3whs", is a target-based option within the Stream5 configuration. The official Snort binary manual that describes this is here: http://manual-snort-org.s3-website-us-east-1.amazonaws.com/node17.html.

OK, thanks. I'll guess I'll stick with my personal Snort license for $30/year.

@bmeeks thank you, I misunderstood and thought this forum was a forum for Suricata users. Now the problem solved.

I highly recommend a personal subscription to the Snort personal subscription as they're only US$30/year. However, I would also be wary of turning on too many rules at once as it can make a noticeable hit to your throughput speed as well as increased resource usage on your pfSense system.

Thanks mate

Your human brain has to research the alerts, look at the underlying rules and their logic, examine your network topology and client make-up (types of OS, for example) and then use your noodle to figure out if a given alert is likely a false positive. As user @jdeloach stated, Google will be your friend in this endeavor. How do you think the system is going to figure out and flag a false positive for you? If it was smart enough to do that, it would be smart enough to not false positive in the first place ... .

@bmeeks That all makes sense. I missed the entries in the system log: Apr 9 15:31:09 pfSense kernel: pid 51904 (suricata), jid 0, uid 0: exited on signal 4 (core dumped) Seeing "Illegal Instruction" printed to the terminal is what led me to this thread. In the end my SG-100 is back up and running and the problem has been identified. I will keep an eye out for a Suricata update. Thank you for the support. *** UPDATE *** For anyone that stumbles upon this thread, the issue has been corrected with pfSense 2.4.5-p1 released June 9, 2020. See the release notes: https://docs.netgate.com/pfsense/en/latest/releases/2-4-5-p1-new-features-and-changes.html Great work!

Ok. Thanks man ;)

@bmeeks thank you! I’m embarrassed. That’s hilarious. I really appreciate it!

@bmeeks Thank you so much. That worked perfectly. I saw it failing but falsely assumed that the install would continue, especially when the package screen said it was successful. Thanks again!

Thanks bmeeks! This is amazing and super helpful. Great details and examples for this greenhorn. I am grateful for your time and help!

My suggestion is to first subscribe to the Snort Subcriber Rules. They are free for registered users. For free you get new rules only when they are 30 days old or more. For $29.99 USD per year you get access to new rules the instant they are published. Once the rules are enabled for download, go to the CATEGORIES tab and check the box to use an IPS Policy and choose "Connectivity" in the drop-down. That is an excellent starter set of rules that are not likely to false positive in most networks. Do not enable blocking yet. Run in alert-only mode (just IDS mode) for several weeks and note the alerts you see on the interface. For 99% of users, you should configure Snort on your LAN interface only. It is likely you will get a lot of false positive alerts from several of the HTTP_INSPECT preprocessor rules. Search a thread on the forums here with "Snort Master Suppress" in the title and you will find lots of suggestions from other users on which rules are prone to false positives and should usually be disabled or suppressed. Edit: here is that thread: https://forum.netgate.com/topic/50708/suricata-snort-master-sid-disablesid-conf.

I see you tagged onto another thread here: https://forum.netgate.com/topic/151936/suricata-core-dumping-after-2-4-5-upgrade/15. That thread tells you what the problem likely is and what the only short-term solution is.

Hi @jdeloach, That would be the problem then. Went back to 2.4.4-RELEASE-p3. With the 2.4.5 I've experience very slow boot of pfsense and the DHCP on the WAN interface didn't work anymore. Do not know if that makes sense tot you? Greetz, Herman F.

Thanks, I understand now. Here is a screen grab of what my installed packages - attached.[image: 1586005059052-3.png]

Thanks for the help Bill. I appreciate it.