As far as I can tell it's just for visibility.  I don't think I've seen it change.

The only way I can think to do what you're asking would be to put the malware sandbox on a different interface, and not run Snort on that interface. This could have other security benefits as well to keep the malware away from any other systems.

I hear you dok. I read in other places your distaste for Snort halting upon hitting a broken rule and saw that in the code it coughed up at me.
I am partly guilty here too because after the reinstall merely deleting the interface, reinstalling the interface and redownloading the rules seemed to remedy the issue I was having.
Thanks dok for looking it over and thanks to everyone for your work on pfSense, packages, and your help in these forums.

If you're using one of the pre-defined IPS Policy settings (Connectivity, Balanced or Security), then the Snort rules are automatically selected. If you also add OpenAppID and ET rules, then you can select those rules, as they are not part of the pre-defined Snort IPS policies.

Here's a post from the Snort blog about how rules are put into each of the pre-defined policies. CVSS score, time, and certain policy groups play a factor in those pre-defined policies.

Yep, I thought that as well thanks mind12 :)

Implemented this now.

Thanks for the reply, so what im trying to accomplish is to use snort to only listen to the VIP ip but it seems that snort only listens to interfaces rather then IPs, as the VIP is connected to WAN it makes things a tad bit harder, currently what i have is 5 Static IP which my lSP gives one of those IPs is the VIP ip which is open to the world such as email server ports, FTP, website ports, etc. and one of those IPs is the WAN which all users navigate with. The issue on running snort on the WAN it gives way to many false alert, i know that there is a suppress list which i tried but it just a pain, or unless i run the rules of smtp,imap,pop, and ftp but then if i want to run rules of HTTP its going to be a hassle with the users.

Thank you

Clipboarder.2017.03.16.png
Clipboarder.2017.03.16.png_thumb
Clipboarder.2017.03.16-002.png
Clipboarder.2017.03.16-002.png_thumb

Not exactly sure what's the question here, obviously depends on the interface. If you have FPs, disable the offending rules.

Thank you

I have a HP NC365T quad nic and seems to run (wan only)  in-line Suricata 3.1.2 on pfSense 2.3.3_1 fine. When I was running speedtest, I did get an Suricata alert "SURICATA STREAM excessive".

Doktornotor, yes, I'm using my snort as you said it, in in-line mode, like the bridge between two network segments (between my ISP router and my main firewall). Now, would you tell me if this way, setting my wan ip on passlists, would not open some security hole in my network? I think it might not block some kind of threat, I do not know. If you do not see problem I will leave it configured this way, with ip of wan added in the passlist.

Thanks a lot, pfBasic. It really opened my eyes on that point. I'll analyze the logs for a while before applying lock.

I actually just happened to post a thread on how to keep your snort2c table persistent.

When you updated you had to reboot, anytime you reboot your blocked hosts lists will be flushed.

Just follow the instructions here and you can keep your lists! It's actually really easy.

https://forum.pfsense.org/index.php?topic=126997.0

I do have VPN setup on my server and also the client on my phone. I will need to gives this a test.

Thanks,

Have you tried the service watchdog package?

It sounds like it is written to do exactly what you want.

EDIT: Maybe not exactly what you want, it doesn't work on a per interface basis. I don't know if it will work for you but it should if your system keeps marking the suricata service as down for some reason.

OK thank you, I figured that would be the answer.

I ended up just disabling & modifying some rules so that it's no longer a problem.

I didn't know Snort could do this, and after a quick bit of searching I'm not convinced that the current version of Snort can do SNMP. I found some references to pre 2.0 Snort and SNMP, and some references to third party plugins, but nothing in the manual for 2.9.9 mentions sending alert info via SNMP.

If your RMM supports Syslog you could use it.