I know this is a bit older, but this request doesnt pumped into any release for the httpd extend custom option, why?

Found them!  OpenAppID rules, I had them all enabled.

Logs cleared and back to normal

::)

I'm not sure if you've worked with an IDS before, you really don't want 99.99% alerts IDS detects. Many are false positives. Most important part is to configure your firewall correctly.

I have same issue when I active suricata inline mode it's work for awhile then it's crash with infinity text error on console so i have to turn off power and turn on again. if i use legacy mode it's work fine.

I tried below tune without chance to solve issue:

net.inet.tcp.tso=0
hw.igb.num_queues=1
hw.pci.enable_msix=0

error message header :

Fatal trap 19: non-maskable interrupt trap while in kernel mode Fatal trap 19: non-maskable interrupt trap while in kernel mode cpuid = 0; cpuid = 2; Fatal trap 19: non-maskable interrupt trap while in kernel mode Fatal trap 19: non-maskable interrupt trap while in kernel mode apic id = 04 cpuid = 1; cpuid = 3; instruction pointer      = 0x20:0xffffffff813071e6 apic id = 00 apic id = 02 apic id = 06 stack pointer          = 0x28:0xfffffe0226bc4fe0 instruction pointer    = 0x20:0xffffffff813071e6 frame pointer          = 0x28:0xfffffe0226be88f0 instruction pointer    = 0x20:0xffffffff813071e6 code segment            = base 0x0, limit 0xfffff, type 0x1b stack pointer          = 0x28:0xfffffe01e9df8fe0 stack pointer          = 0x28:0xfffffe0226bccfe0                         = DPL 0, pres 1, long 1, def32 0, gran 1 instruction pointer    = 0x20:0xffffffff813071e6 frame pointer          = 0x28:0xfffffe0226bed8f0 processor eflags        = stack pointer        = 0x28:0xffffffff82978820 interrupt enabled, frame pointer                = 0x28:0xfffffe0226be38f0 IOPL = 0 code segment            = base 0x0, limit 0xfffff, type 0x1b current process        = 11 (idle: cpu2) code segment            = base 0x0, limit 0xfffff, type 0x1b frame pointer          = 0x28:0xfffffe0226bde8f0                         = DPL 0, pres 1, long 1, def32 0, gran 1                         = DPL 0, pres 1, long 1, def32 0, gran 1 code segment            = base 0x0, limit 0xfffff, type 0x1b processor eflags        = processor eflags      = interrupt enabled,                    = DPL 0, pres 1, long 1, def32 0, gran 1 IOPL = 0 processor eflags        = current process              = 11 (idle: cpu3) interrupt enabled, interrupt enabled, IOPL = 0 IOPL = 0 current process        = 11 (idle: cpu0) current process        = 11 (idle: cpu1) timeout stopping cpus [ thread pid 11 tid 100005 ] Stopped at      acpi_cpu_c1+0x6:        popq    %rbp db:0:kdb.enter.default> textdump set textdump set db:0:kdb.enter.default>  capture on db:0:kdb.enter.default>  run lockinfo db:1:lockinfo> show locks No such command db:1:locks>  show alllocks No such command db:1:alllocks>  show lockedvnods Locked vnodes db:0:kdb.enter.default>  show pcpu cpuid        = 2 dynamic pcpu = 0xfffffe02a45b9200 curthread    = 0xfffff80005202500: pid 11 "idle: cpu2" curpcb      = 0xfffffe0226be8b80 fpcurthread  = none idlethread  = 0xfffff80005202500: tid 100005 "idle: cpu2" curpmap      = 0xffffffff829e6300 tssp        = 0xffffffff82a1ebe0 commontssp  = 0xffffffff82a1ebe0 rsp0        = 0xfffffe0226be8b80 gs32p        = 0xffffffff82a25438 ldt          = 0xffffffff82a25478 tss          = 0xffffffff82a25468 db:0:kdb.enter.default>  bt Tracing pid 11 tid 100005 td 0xfffff80005202500 acpi_cpu_c1() at acpi_cpu_c1+0x6/frame 0xfffffe0226be88f0 acpi_cpu_idle() at acpi_cpu_idle+0x2e2/frame 0xfffffe0226be8940 cpu_idle_acpi() at cpu_idle_acpi+0x3f/frame 0xfffffe0226be8960 cpu_idle() at cpu_idle+0x95/frame 0xfffffe0226be8980 sched_idletd() at sched_idletd+0x3d3/frame 0xfffffe0226be8a70 fork_exit() at fork_exit+0x85/frame 0xfffffe0226be8ab0 fork_trampoline() at fork_trampoline+0xe/frame 0xfffffe0226be8ab0 --- trap 0, rip = 0, rsp = 0, rbp = 0 --- db:0:kdb.enter.default>  ps   pid  ppid  pgrp  uid  state  wmesg        wchan        cmd 52152 89222  298    0  S      nanslp  0xffffffff82866b31 sleep 24906  298  298    0  S      accept  0xfffff8000c61306c php-fpm 60283 59946 60283    0  S+      ttyin    0xfffff800080060a8 sh 59946 59726 59946    0  S+      wait    0xfffff8006e8c3528 sh 59726    1 59726    0  Ss+    wait    0xfffff8000c7ad528 login 89222    1  298    0  S      wait    0xfffff8000c967528 sh 88607    1 88607  136  Ss      select  0xfffff8000c298040 dhcpd 77035    1 77035    59  Ss      (threaded)                  unbound 100654                  S      kqread  0xfffff8000c9cae00 unbound 100691                  S      kqread  0xfffff8000c9c5b00 unbound 100692                  S      kqread  0xfffff8000c489000 unbound 100693                  S      kqread  0xfffff8000c9b0600 unbound 64289    1 64289    0  Ss      (threaded)                  dpinger

anyone can help us on this matter . Thanks

I think the issue is their servers. I am from Hong Kong and I have the exact error, when I try to go to www.ifs.edu.br, it displayed a firewall message saying it has a Geo-IP Block of Hong Kong.
When i try to go to the website again using a VPN in the US, it display the website just fine.

anyway work around this? its definitely a GEO block. anyway to contact them? or maybe if someone knows the url? I can download the rules on a public server add a DNS override and on the firewall

Follow the instructions I give here:  https://forum.pfsense.org/index.php?topic=127764.msg731895#msg731895 to remove Snort, clean up the older shared-object libraries and reinstall Snort.

Bill

@Khampol:

Hi,

After an update manual today, well snort refuse the start…. See this in LOG :

FATAL ERROR: The dynamic detection library "/usr/local/lib/snort_dynamicrules/server-webapp.so" version 1.0 compiled with dynamic engine library version 2.6 isn't compatible with the current dynamic engine library "/usr/local/lib/snort_dynamicengine/libsf_engine.so" version 3.0.

::) ::) ::)

Two things:  (1) do you have the latest Snort package installed?  (2) did you do a "remove and then reinstall" when updating the Snort package?

Sounds like you have a problem another user had.  You have old versions of the precompiled shared-object rules libraries hanging around on your system.  To remove them, do the following:

(1) Remove the Snort package
(2) Get to a CLI (command line) prompt on the firewall and delete any "snort" directories you find in the /usr/local/lib path.
(3) Install the Snort package again

The above steps will not cause you to lose any configuration data so long as "save settings" is enabled on the GLOBAL SETTINGS tab.  That setting is "on" by default.

Bill

Bottom line is, don't enable remote access to your pfSense box without a VPN. Until you have a VPN server setup, disable all remote access.

SSH with pass + key auth is fine.

Or highlighted with red rows in the Alerts tab if you use it in Inline mode.

@Gemnon:

ifconfig em0 -vlanhwtag

With package "shellcmd" it is possible to apply it every boot up.

I use the standard "shellcmd" type an it is working perfectly.

Thanks to Gemnon

So I made some progress on this; the issue is that suricata is not properly generating the passlist rules for sid-msg.map (it's omitting a 'rev' column) which I think is what is tripping up barnyard2.

I was able to disable/enable blocking to get the passlist entries no longer added to the .map file, but it seems like they get put back in if I switch over to inline.

@Birke:

just look unter snort alerts and there select your wan interface.
then you see the alerts on that interface. for example```
06/23/2017
12:09:59 2 TCP Potentially Bad Traffic 31.193.143.x
    50439 89.x.x.x
  1433 1:2010935
  ET POLICY Suspicious inbound to MSSQL port 1433

the "ET POLICY" shows from what rule category comes and the "1:2010935" is the number of the rule. with that info you can go to the wan interface configuration on snort and then select rules. select the rule category and search for the rule. or you just go to the snort alerts and click one of the red x for rule suppression/disabling.

It gets a little better now, thx !

@Birke do you add alerts to suppress list or disable rule?
And I am assuming after I get no or low level of alert I'd enable Block Offenders in interfaces?

Thx

I believe snort works on what interface you set it and what rules you apply on those interface.

Bill,

That's super awesome.

Thank you so much!

Charles