There are too many variables to make an accurate calculation in my view. Why not simply test it? You can turn on Performance Stats on the PREPROCESSORS tab and look through those log outputs to see where Snort is spending its time.

@NogBadTheBad sir just wanting to make sure that there's no issue

Yes, it's for home. Thanks a lot for the detailed explanation, I am going to switch to LAN interface.

@bokikay said in Snort-3.2.9.10 Package Update Release Notes:

Hello sir @bmeeks yesterday I run an upgrade to the latest one 3.2.9.10 for snort. It woks fine after I reboot my box. Today when I checked status it stops all and it looks like this pic. I click the play button to start the status but still it won work. Do I need to remove the package and reinstall it again? Thank you sir 4325baac-1830-48fb-8b7e-0b3f966ba769-image.png

Have you looked in the pfSense system log to see what error messages are being logged when you attempt a restart of the interfaces? How do you expect me to help you if you give me no information to go on? I need error log messages to troubleshoot. I can't just sense what's wrong through the ether with "spidy senses" or something ... 😀 .

yes, of course

Still waiting, hope it will be fixed.

@NogBadTheBad
It is,
I wrote before I thought.

Thank you so much (again:)...)
It was the proxy that we use, my problem though was that I white-listed the wrong interface...

I did forget to mention that when you clear out the /var/log/suricata directory that will wipe out all of the Suricata log files, so if you want those for some reason copy them off before executing the command.

Uptime 21 Days 16 Hours 14 Minutes 42 Seconds

no more problems after I disabled suricata... :(

Thank you for the advice @bmeeks. I'll keep that in mind. 😀

Even though the title for this Sticky Post says it is for Snort, the concepts and most of the screenshots are applicable to Suricata. There are some examples in there of using SID MGMT. Also, if you are using the Snort Subscriber Rules in your configuration, you could opt to enable an IPS Policy (IPS-Connectivity is a good starter policy).

@albgen said in could not update suricata:

@bmeeks what about how to check which process is using ram the most? Should i check with standard freebsd command line or any specific way from pfsense itself?

While installing a package in the GUI you would need to use a CLI method via a direct console session or an SSH session. If you change "screens" in the GUI and access a different menu option while a package install is happening it can blow up the PHP session that was installing the package.

Thanks guys its now working.

@bmeeks said in pfsense sync pf table snort2c to another firewall by scan loop, but what if use barnyard2 ?:

standard Snort binary package from FreeBSD ports

clear Snort it not ready solution.
need load rules by subcribes, by other apps ...
barnyard2 for read raw log from snort, for barnyard2 ideally need to have sql....
for visualize alerts need other app...
ip list etc ....

On other office many years used pfsense as main gw with snort as you say.
And will to say that 8G RAM not so much if enabled barnyard2 with snort and multiple interfaces on snort.

Also forgot to mention that if you have a Snort Subscriber Rules subscription (either paid or free), then you do not need to use the Snort GPLv2 rules. The rules in there are already within the Snort Subscriber rule set. So you would just be duplicating rules if you use the Snort GPLv2 Community Rules and the Snort Subscriber rules. The GPLv2 rules are just public free versions of some of the Snort Subscriber rules.

I have created a pull request:
https://github.com/pfsense/FreeBSD-ports/pull/702

But since I have no idea how to test it, I guess some other person has to do that part.

Sorry, but I can't help you with Squid or SquidGuard. Never used either package on pfSense.

Your Snort rules look OK, but you might be a little tight on memory.

Installing games and game launchers, especially if from sources other than an official retail outlet, would give me pause. But then I am almost officially an "old fart" now and games don't interest me anymore ... ☺ .

Back to your problem ---

It's really hard to say if all of those are false positives. I will say that in general the ET Policy rule category is not terribly useful on a home network because it will generate alerts for lots of things that are perfectly normal for home networks. That ET Policy set is primarily aimed at the corporate IT world where things like Windows updates and other similar things are tightly controlled and usually distributed from in-house servers on the company network (think Microsoft's old SMS and later WSUS architecture). So these rules are designed to trigger on traffic that would indicate a user was downloading or installing some EXE file or DLL or ZIP file from the web instead of official company infrastructure.

Well, in a home network that's exactly what Windows needs to do in order to get security updates -- download EXE and DLL files from the web. So the ET Policy rules are likely to false positive there. So the ET Policy rules in your alerts are most likely false positives. I would suggest you disable the rule set entirely in your configuration or else turn off several of those alerting rules.

The other alerts from ET Shellcode might not be benign. The fact you mentioned you installed new games and game installers means some kind of adware or malware may have slipped in as well (unless you bought the games from a big-name retailer, but even that's not guaranteed safe). Definitely would be worried if I obtained the games from a torrent or other P2P method or purchased them at a substantial discount off retail from some web site.

One thing to start with is to research all of the IP addresses in the alerts that are not your own. You can use web tools such as the ARIN IP Lookup to find the IP space owner and what country the IP is registered in. You can also search Google using the IP addresses as the search term to see if any negative reviews turn up.

If the IP addresses in those Shellcode alerts are registered to the maker of your games, then I wouldn't panic as much as I would if I found the IP addresses instead were going to some "more often than not" hostile country known for malware.