@bmeeks
I see that there is an update out now. I just install it a few minutes ago. So will update if I run into that same issue again.

Yes, that snort.core file can safely be deleted. That is a memory dump produced by a crash (looks like back on December 7th).

@michmoor

Thank you for the reply. So now I need to experiment with the rule-sets so see why my PfSense box does not block the same sites as the Z4.........

@bmeeks said in SID Mgmt change drop to block (white listing instead of blacklisting):

Yes, it's a bit of typing or copy-paste, but that's part of the drudgery of what an IDS/IPS admin does. Once done, it's done.

And that's what I ended up doing, listing all the 50+ ET rules lists, except the three I wanted to keep as Alert only. Which, in order to keep track of what I did, I commented out and kept in the file.

But once done, it's done isn't really true is it? Things change, and you constantly need to adjust, typically by disabling or suppressing rules that are false positives. Mostly individual rules, but it could possibly be an entire list.

I think all changes I have ended up making are in the direction from Drop to Alert. Not the other way around... Starting out from some reasonable level based on e.g. Snort Policy (where I use Balanced) and some ideas about what other rules lists to disable or keep as Alert.

And this is part of what is so good with the lists, also the suppress list, in that they are so simple to read, and can easily be copied over to other tools like excel. They give you a good overview of what it is you have done.

And then we have usability aspect, and being practical or efficient. It's either:
emerging-3coresec.rules
emerging-activex.rules
emerging-adware_pup.rules
... and so on for each list ...

Or simply writing.
emerging

And then all the emerging threats rules are affected, and changed to Drop for example.

Then the next simple step would be to have a few of them reverted back to Alert, by creating a list for that, as suggested.

Remember, blocking applications at the network level might have unintended consequences, and false positives are possible. Make sure to thoroughly test and monitor your network after implementing these rules. Additionally, keep in mind that determined users can find ways to bypass such restrictions. Consider implementing a comprehensive security strategy that includes education, user policies, and other layers of security to address different aspects of network security.

@ajohnson353 said in Suricata interfaces halting in legacy mode:

Hello! I am also seeing Suricata crash after updating to CE 2.7.1. Last error before the crash is "[167966 - W#06] 2023-11-29 22:44:22 Error: spm-hs: Hyperscan returned fatal error -1." Restarting only brings it back for a few minutes.

That issue is being discussed in this thread: https://forum.netgate.com/topic/184101/suricata-process-dying-due-to-hyperscan-problem. Please post comments or questions over there to keep the discussion in a single thread.

@bmeeks Thanks for sharing.

I worked in IT for 15 combined years, even held some government clearences at one time a DOJ, SSA, and TNET. The amount of 16 hour shifts I did early on in my life limited many core social friendships. I quit once the company I worked for would not give me a regular schedule when my kid started Kindergarten. I just assumed I would get one after the many years. So I put my three weeks in. It was sad after 13 years there and many 16s, even 10 years without a holiday, the last thing I was told by the new manager... get Jon the @#@# out of here, take him home. No goodbyes, no card, after they even deleted half a week off my last check. Very toxic work environment. I went back to school even in my old age, I was able to share spread knowledge with a younger generation. All the scary situations I was in, it was just sad.

Anyway looking forward I can't wait to learn C soon.

@michmoor I bet Bill will do it once he wants a good puzzle. Maybe if we donate $50.00...

The pfSense Snort AppID de-cipher sorcerer's code file with case sensitive messages: --> 1696920726080-textrules2 (1).txt
Sid range: 1000000 - 1003371

Total 3,371 AppID rules you can use with the custom option.

Use this with AppID enabled and place it as custom to use all the AppID snort snubs with custom text rules.

https://forum.netgate.com/topic/183210/guide-snort-s-appid-custom-rules-quick-guide-to-blocking-example-shows-openai-chatgpt-or-itunes

This also has tictok in it.

https://redmine.pfsense.org/issues/15035

@denis_ju Snort does not work for me past version .11 on ARM processors

@repomanz said in Snort doesn't want to start after latest upgrade to Snort 4.1.6_12:

I didn't notice there was a pfsense update before I went to latest snort.

Get in the habit of always going to the pfSense Dashboard first, let the "update check complete", and if a pfSense update is avaiable, do not update your packages before first updating pfSense- unless you specifically go and choose "Previous stable version" in the UPDATE menu. But usually if you do that, the new package version you are after will not show as new packages generally appear only for the newest pfSense release.

@Euman said in Surricata alerts NULL ip address:

@bmeeks Hi friend, .

I looked closer at this versioning:

suricata security 7.0.2_1 High Performance Network IDS, IPS and Security Monitoring engine by OISF.

Package Dependencies: suricata-7.0.2_4 
https://freshports.org/security/suricata

I copied the pkg dependencies version

7.0.2 would have been the version that left the offending line.

Thanks. If you have not seen any other instances, it may have just been some type of corruption in the file. That log is a text file processed by PHP code in the GUI to parse out the various fields. One of the fields apparently parse out incorrectly for some reason.

For now I think it can be safely ignored. If it happens again, post back to this thread and I'll investigate further.

@wolfsden3 said in SNORT: promiscuous mode disabled + promiscuous mode enabled error + exited on signal 11 (core dumped):

Hey guys / gals / they / thems, etc...

I did the 2.7.1 update on one of the boxes I had this issue with > re-enabled kill states > haven't had a problem.

Did 2.7.1 resolve this SNORT issue is some magical way? I think SNORT is the same version but I didn't confirm this.

Many Thanks!

As @SteveITS mentioned in his response with this link:

https://forum.netgate.com/topic/184112/important-snort-and-suricata-package-announcement-probable-bug-in-legacy-blocking-module/

There is a thread where I am posting updates. I will put them in the original post at the top of that thread.

@fernoliv said in I can't start Suricata 7.0.0.2 on Pfsense + 23.09:

Thanks @bmeeks but in my case, even with the "kill states" option unticked/unchecked Suricata still not starting and still running.

The kernel process is return on the System Logs the message below:

(suricata), jid 0, uid 0: exited on signal 6 (core dumped)

I'm going to wait for the fix be turned available via pfSense repositores (patches or a new 23.09.1 release) to overcome that issue.

Signal 6 is an entirely different error. That means Suricata is missing some critical dependency or something vital is not initializing.

What kind of hardware do you have? Is it Intel AMD64 or ARM based?

Remove the packge, reboot the firewall, then try installing the package again.

@bmeeks Thank you. Excellent suggestions. My head was too much in a GUI mode. Never would have thought of a regexe. I'll stretch my Google-Fu and see if I can come up with a nice one-liner. Cheers.

@Ramosel said in Snort Update Procedure:

@bmeeks said in Snort Update Procedure:

And "yes", I retired back in February of 2014. I worked as a contractor in a "work from home" job starting in 2015 for about 2 years, but then retired for good at the end of 2017. Just enjoying life now as an official "Old Fart" 🙂. But I have not gotten to the "you kids get off my lawn" stage yet.

Well, ya got some catching up to do... you'll get there... especially with the crap going on these days.

I do reserve my right to complain about "the crap these days", even if I'm not all the way to "you kids get off my lawn". Oh, and both my wife and I like to complain about how much stuff costs now compared to "the good old days".