Thanks for the feedback i took a look at the multiple snort interfaces, and they werent using all that much. There were a couple plugin processes that were using a lot, and i thought at least one had a memory leak, because when i rebooted the memory use went down. But after a couple days, same thing. so amazon to the rescue; plugged in another 16gb which was dirt cheap, and now it is using about 31% of the 24gb, so all is well. cpu usage was never an issue (about 23% as i write this, i have seen it goes as high as 80% but thats rare and very temporary) so im done, i have everything installed i needed (and some plugins i just wanted to play with), and it runs everything im throwing at it, so im happy. Lucky i got this version; not sure the less powerful ones would do what i am asking.

@lucas1 said in Snort Subscriber rules: @NogBadTheBad It was: Downloading Snort Subscriber rules md5 file snortrules-snapshot-29120.tar.gz.md5... has become: Downloading Snort Subscriber rules md5 file snortrules-snapshot-29150.tar.gz.md5... Done downloading rules file. The reason was found by another employee. It's called try guess. Oh... you were not running the current version of the Snort binary. I assumed you were, so my mistake on that. The Snort team periodically ages out and discontinues rules support for older Snort versions. The rules are tied to specific binary versions, so you can't use the Snort rules from the 2.9.12 binary with the later 2.9.15 binary. So the moral of that story is keep your Snort package updated to the current version. I do my best to keep the Snort version in pfSense-RELEASE current so the rules downloads/updates will work. The 422 HTTP error was the Snort web site's roundabout way of saying that file version your Snort package was requesting was not present. Now, if you are using Snort Subscriber rules with Suricata, then it is your responsibility to log into the Snort rules web site periodically and check which version is current for the 2.9.x rules. You then have to manually configure Suricata to download the correct version. See this Sticky Post at the top of this forum: https://forum.netgate.com/topic/110325/using-snort-vrt-rules-with-suricata-and-keeping-them-updated. One big warning! DO NOT use the Snort 3.0 rules with Suricata! You will completely break your Suricata installation if you try that. The only way to recover it would be to remove it and install everything fresh again. Your post was a bit ambiguous as to whether you were running the Snort package or if you were running Suricata and using the Snort rules. I made an assumption that may have been incorrect.

Thank you so much guys for your reply. I will go ahead a disable the rule.

@scorpoin said in Pfsense Snort not blockig: @NollipfSense said in Pfsense Snort not blockig: You said you just installed Snort...how do you know it's not blocking? Did you visited a site that's supposed to be blocked, yet you went to the site? Its not blocking when I try to connect my openvpn client it does connect me to my vpn server which suppose to be blocked as per rule? Regards The default Pass List will whitelist locally attached networks including your VPN. If you don't want that default action, then you will need to create your own custom pass list.

Modbus is for industrial control systems. It is not used in business or home networks (typically).

This forum is for users of Snort on pfSense only. There is no support for Windows versions of Snort available here.

@mind12 said in Suricata blocks traffic without alert: @bmeeks said in Suricata blocks traffic without alert: 2024772 Never mind, that command just changed all the flowbit rules to alert using the dropsid.conf. I was confused by the name of the file dropsid.conf that it can't change anything to alert only to drop. It's the drop-down selector where you pick the file that determines the action (changes for drop, enable or modify) and not the filename. You can choose any file for the action and whatever matches the PCRE in that file produces are then used for finding and modifying rules.

For some reason, there're no pcap files in /var/log/snort/snort_*/ Log management tab is: [image: 1576593970049-cb7ae7d7-5e59-41f6-9bf5-31eed92ca9c7-image.png] Snort is running: [image: 1576594107551-ad0354a4-833a-4b9e-8f3b-d32c8bd015cb-image.png] Could anyone point me on how to enable them, please?

Thanks for your reply and your explanations. Even if it is not the answer I wished, it helps not loosing anymore time searching in a wrong direction. Thanks Have a nice day

[image: 1576268521252-screen-shot-2019-12-13-at-2.20.10-pm.png]

Hello No more crash this weekend. I have launched a manual backup on friday to test and the memory usage hasn't increased. I will still wait for a week but I think the solution is good. Thanks a lot to @bmeeks for the help.

There are too many variables to make an accurate calculation in my view. Why not simply test it? You can turn on Performance Stats on the PREPROCESSORS tab and look through those log outputs to see where Snort is spending its time.

@NogBadTheBad sir just wanting to make sure that there's no issue

Yes, it's for home. Thanks a lot for the detailed explanation, I am going to switch to LAN interface.

@bokikay said in Snort-3.2.9.10 Package Update Release Notes: Hello sir @bmeeks yesterday I run an upgrade to the latest one 3.2.9.10 for snort. It woks fine after I reboot my box. Today when I checked status it stops all and it looks like this pic. I click the play button to start the status but still it won work. Do I need to remove the package and reinstall it again? Thank you sir [image: 1574816418768-4325baac-1830-48fb-8b7e-0b3f966ba769-image.png] Have you looked in the pfSense system log to see what error messages are being logged when you attempt a restart of the interfaces? How do you expect me to help you if you give me no information to go on? I need error log messages to troubleshoot. I can't just sense what's wrong through the ether with "spidy senses" or something ... .

yes, of course

Still waiting, hope it will be fixed.

@NogBadTheBad It is, I wrote before I thought.

Thank you so much (again:)...) It was the proxy that we use, my problem though was that I white-listed the wrong interface...