Installed last night so far zero issues thanks for getting this out

Thanks Bill, its working a treat now :)

alert icmp any any -> any any (msg:"ICMP Packet found";sid:1000001;rev:1;classtype:icmp-event)

Untitled.png
Untitled.png_thumb

It's been a while since I've toyed with Barnyard2.  It definitely sounds like a permissions or path thing to me, though.  Remember the running Barnyard2 process will not have the same environment variables set as your shell account will have.  So things that "just work" at a CLI prompt many times will not work when executed from within a script or a daemon.

Is your private key literally in /etc, or is it maybe actually in /usr/local/etc?  The latter is where I think it should generally be on FreeBSD and pfSense.  All of the Snort, Suricata and Barnyard2 stuff is in /usr/local/etc.

Bill

@techbee:

While pfsense dropped the Layer 7 filtering and suggested using Snort,  I don't know why other commercial firewall still have Layer 7 filtering on them. I forgot what commercial firewall was that, probably Sophos.

I believe it was because the Layer 7 filtering in pfSense was never great and it was a little hard to maintain.  I think it was more an experiment from one of the developers who has since departed.  The OpenAppID system now in Snort was open-sourced by Sourcefire soon after acquiring Snort.  It is modeled after some of their older proprietary stuff.  You have the basic engine available in the Snort binary, but to complete the circle and make it actually do something you need custom AppID rules.  A third party provider volunteered to create and maintain a cache of OpenAppID rules for the Snort package on pfSense.  Those rules are hosted on a University web site in Brazil.  You can enable their download in the Snort GUI on the GLOBAL SETTINGS tab.  Be aware, though, that the hosting web site does geo-blocking on certain countries.  If you reside in one of the countries they geo-block, then you won't be able to download the rules (at least not without using a VPN to get around the geo-blocking).

Bill

This is a question you should direct to the Snort mailing list.  I don't have the URL, but you should be able to quickly find it on Google.  I know there is one.

Bill

@justsomeone:

Snort wont start after updating some rules. I have un-installed and reinstalled. Any help would be much appreciated.

Here are the logs:```

Time Process PID Message
Jul 21 15:03:54 php-fpm 40562 /snort/snort_interfaces.php: The command '/usr/local/bin/snort -R 35291 -D -q --suppress-config-log -l /var/log/snort/snort_em035291 --pid-path /var/run --nolock-pidfile -G 35291 -c /usr/local/etc/snort/snort_35291_em0/snort.conf -i em0' returned exit code '1', the output was ''
Jul 21 15:03:54 snort 48245 FATAL ERROR: /usr/local/etc/snort/snort_35291_em0/rules/snort.rules(4832) byte_test rule option cannot extract more than 4 bytes without valid string prefix.
Jul 21 15:03:53 php-fpm 40562 /snort/snort_interfaces.php: [Snort] Snort START for WAN(em0)...
Jul 21 15:03:53 php-fpm 40562 /snort/snort_interfaces.php: Starting Snort on WAN(em0) per user request...
Jul 21 15:03:51 php-fpm 40562 /snort/snort_interfaces.php: [Snort] Building new sid-msg.map file for WAN...
Jul 21 15:03:50 php-fpm 40562 /snort/snort_interfaces.php: [Snort] Enabling any flowbit-required rules for: WAN...
Jul 21 15:03:42 php-fpm 40562 /snort/snort_interfaces.php: [Snort] Updating rules configuration for: WAN ...

This error is caused by a mis-written rule signature.  Likely it was updated by the authors but the error was not caught before the rule was added to the update tar ball.  You can find the errant rule and disable it by "decoding" the error message.

Here is the snippet of the error message you need:

/usr/local/etc/snort/snort_35291_em0/rules/snort.rules(4832)

This tells you the file containing the rules where the error happened.  The file is /usr/local/etc/snort/snort_35291_em0/rules/snort.rules, and the error is on line 4832 in that file.  So open the file in an editor, locate line 4832, examine the rule there to find the SID and category and then disable that rule in the GUI on the RULES tab.

Bill

@crester:

I don't know why but rebooting had worked.

99 times out of 100 this means you had duplicate Snort instances running on the same interface.  To the GUI, one of those process instances is like a zombie and lost.  So any changes made to HOMENET or anything else in the GUI don't get applied to that running zombie process.  Rebooting will kill everything and then you get back to a single Snort instance per configured interface and things are normal.

Bill

The GUI package update to accompany the binary update has been posted for review and approval by the pfSense developer team.  Should get merged into the package repository soon.  Here is a link to the Pull Request with details on bug fixes and the new feature in this coming update.

https://github.com/pfsense/FreeBSD-ports/pull/393

I will post a full set of release notes after the update is merged into the package repositories and is available for users to install.

Bill

I realize this is an old topic - however, maybe someone out there has crossed this bridge and can shed some light on the issue.

I am running into the same problem as the OP.  Suricata (Inline - Intel i211) effectively shuts down the WAN interface and runs the CPU up to 100%.  Nothing in the logs indicates a problem, suricata log just goes silent.  A stop / start of Suricata and all is well again.

The few times I've encountered this it did not seem to happen during times of high load on the interfaces.

OP - Did you have any luck in adjusting buffers?

MrGlasspoole…just to be clear I do not recommend you disable those rules. If you are not getting many alerts "Suppress" might be a better route for you, assuming you have the available resources for your firewall to work harder.

I run Snort on the VLANS and exclude the parent interface, the untagged VLAN on my settup id for LAN management.

And after F*****g with it for the last half hour I hit the start button in the GUI…...and it's running.......

Figured it out, I didn't have a description entered and it wasn't saving my work. Added a description to the alias and it's working now.

Edit: Spoke too soon, still not working and it's still blocking that IP.  :(

Check the Package Manager and upgrade Snort, the issue will be gone

I have same issue when I update pfsense after rebooting he update couple of package and failed to update suricata.

I have uninstall suricata and re-install it again and working fine now without lose any configuration.

I know this is a bit older, but this request doesnt pumped into any release for the httpd extend custom option, why?

Found them!  OpenAppID rules, I had them all enabled.

Logs cleared and back to normal

::)

I'm not sure if you've worked with an IDS before, you really don't want 99.99% alerts IDS detects. Many are false positives. Most important part is to configure your firewall correctly.

I have same issue when I active suricata inline mode it's work for awhile then it's crash with infinity text error on console so i have to turn off power and turn on again. if i use legacy mode it's work fine.

I tried below tune without chance to solve issue:

net.inet.tcp.tso=0
hw.igb.num_queues=1
hw.pci.enable_msix=0

error message header :

Fatal trap 19: non-maskable interrupt trap while in kernel mode Fatal trap 19: non-maskable interrupt trap while in kernel mode cpuid = 0; cpuid = 2; Fatal trap 19: non-maskable interrupt trap while in kernel mode Fatal trap 19: non-maskable interrupt trap while in kernel mode apic id = 04 cpuid = 1; cpuid = 3; instruction pointer      = 0x20:0xffffffff813071e6 apic id = 00 apic id = 02 apic id = 06 stack pointer          = 0x28:0xfffffe0226bc4fe0 instruction pointer    = 0x20:0xffffffff813071e6 frame pointer          = 0x28:0xfffffe0226be88f0 instruction pointer    = 0x20:0xffffffff813071e6 code segment            = base 0x0, limit 0xfffff, type 0x1b stack pointer          = 0x28:0xfffffe01e9df8fe0 stack pointer          = 0x28:0xfffffe0226bccfe0                         = DPL 0, pres 1, long 1, def32 0, gran 1 instruction pointer    = 0x20:0xffffffff813071e6 frame pointer          = 0x28:0xfffffe0226bed8f0 processor eflags        = stack pointer        = 0x28:0xffffffff82978820 interrupt enabled, frame pointer                = 0x28:0xfffffe0226be38f0 IOPL = 0 code segment            = base 0x0, limit 0xfffff, type 0x1b current process        = 11 (idle: cpu2) code segment            = base 0x0, limit 0xfffff, type 0x1b frame pointer          = 0x28:0xfffffe0226bde8f0                         = DPL 0, pres 1, long 1, def32 0, gran 1                         = DPL 0, pres 1, long 1, def32 0, gran 1 code segment            = base 0x0, limit 0xfffff, type 0x1b processor eflags        = processor eflags      = interrupt enabled,                    = DPL 0, pres 1, long 1, def32 0, gran 1 IOPL = 0 processor eflags        = current process              = 11 (idle: cpu3) interrupt enabled, interrupt enabled, IOPL = 0 IOPL = 0 current process        = 11 (idle: cpu0) current process        = 11 (idle: cpu1) timeout stopping cpus [ thread pid 11 tid 100005 ] Stopped at      acpi_cpu_c1+0x6:        popq    %rbp db:0:kdb.enter.default> textdump set textdump set db:0:kdb.enter.default>  capture on db:0:kdb.enter.default>  run lockinfo db:1:lockinfo> show locks No such command db:1:locks>  show alllocks No such command db:1:alllocks>  show lockedvnods Locked vnodes db:0:kdb.enter.default>  show pcpu cpuid        = 2 dynamic pcpu = 0xfffffe02a45b9200 curthread    = 0xfffff80005202500: pid 11 "idle: cpu2" curpcb      = 0xfffffe0226be8b80 fpcurthread  = none idlethread  = 0xfffff80005202500: tid 100005 "idle: cpu2" curpmap      = 0xffffffff829e6300 tssp        = 0xffffffff82a1ebe0 commontssp  = 0xffffffff82a1ebe0 rsp0        = 0xfffffe0226be8b80 gs32p        = 0xffffffff82a25438 ldt          = 0xffffffff82a25478 tss          = 0xffffffff82a25468 db:0:kdb.enter.default>  bt Tracing pid 11 tid 100005 td 0xfffff80005202500 acpi_cpu_c1() at acpi_cpu_c1+0x6/frame 0xfffffe0226be88f0 acpi_cpu_idle() at acpi_cpu_idle+0x2e2/frame 0xfffffe0226be8940 cpu_idle_acpi() at cpu_idle_acpi+0x3f/frame 0xfffffe0226be8960 cpu_idle() at cpu_idle+0x95/frame 0xfffffe0226be8980 sched_idletd() at sched_idletd+0x3d3/frame 0xfffffe0226be8a70 fork_exit() at fork_exit+0x85/frame 0xfffffe0226be8ab0 fork_trampoline() at fork_trampoline+0xe/frame 0xfffffe0226be8ab0 --- trap 0, rip = 0, rsp = 0, rbp = 0 --- db:0:kdb.enter.default>  ps   pid  ppid  pgrp  uid  state  wmesg        wchan        cmd 52152 89222  298    0  S      nanslp  0xffffffff82866b31 sleep 24906  298  298    0  S      accept  0xfffff8000c61306c php-fpm 60283 59946 60283    0  S+      ttyin    0xfffff800080060a8 sh 59946 59726 59946    0  S+      wait    0xfffff8006e8c3528 sh 59726    1 59726    0  Ss+    wait    0xfffff8000c7ad528 login 89222    1  298    0  S      wait    0xfffff8000c967528 sh 88607    1 88607  136  Ss      select  0xfffff8000c298040 dhcpd 77035    1 77035    59  Ss      (threaded)                  unbound 100654                  S      kqread  0xfffff8000c9cae00 unbound 100691                  S      kqread  0xfffff8000c9c5b00 unbound 100692                  S      kqread  0xfffff8000c489000 unbound 100693                  S      kqread  0xfffff8000c9b0600 unbound 64289    1 64289    0  Ss      (threaded)                  dpinger

anyone can help us on this matter . Thanks