Looking into this issue is next on my list after getting Snort converted to Bootstrap.  That is taking priority, and I'm trying not to make any other PHP code changes or add bug fixes until the GUI is good on pfSense 2.3-BETA and Bootstrap.

It apparently broke when the web server daemon changed in 2.2.6.

Bill

@vingaard:

Would anyone in the forum be able to assist me, so both rules fire a alarm in Snort,  I have a gut feeling that the "flow:established" keyword are the differentiator,
but i would expect that the PFsense Snort would be able to understand this?

many thanks in advance.

Well in that case, why dont you remove the threshold and diagnose only the flow…your second rule should be

alert tcp $HOME_NET any -> $EXTERNAL_NET 80 (msg:"NF - POLICY - malicious web page access"; flow:to_server,established; content:"GET"; nocase; http_method; content:"evilpage.tld"; nocase; http_header; classtype:policy-violation; metadata:NF,25042015; sid:56001811; rev:1;)

F.

Hello,

This might be due to a (unintended) extra space as mention in this post

https://forum.pfsense.org/index.php?topic=106195.0

Well, after testing the options a few times, I am sad to report that the hardware offloading options with the intel pro/1000 pt is not working for me. The network appeared to function fine otherwise, but the amount of those 0 byte packets generated is unnerving. This is on a AMD kabini system, if it makes a difference.

Thanks for the update, we really appreciate it :)
If I can help somehow I'll be glad to.

Br,Greg

If your are testing snort, maybe you should skip the "block for 1h" part for "offenders" or reduce to some minutes.

I'm already aware of how much false positives there are. Let's say my new modus operandi is to add myself to the exclusion list first and foremost  ;-)

Thank you.  My suggestion would be:

1)  add a global option in pfBlockerNG for blocking entire domains where a DNSBL includes say abcdef.com (I think it has to be global option rather than per list, otherwise you run into trouble on de-duping as you say)
2)  do the combination/de-duping/suppression etc as per normal (so people can override the global behaviour on a per domain basis by suppressing e.g. abcdef.com, but adding ads.abcdef.com)
3)  at the point where pfBlockerNG translates the de-duped list into a conf file to pass to Unbound, check each domain being added:
  - if it is a domain: then add it into the conf file with a local zone too - i.e. block the lot
  - if it is a subdomain: then add it into the conf file with just a local data entry - i.e. just block the particular subdomain mentioned

I suspect you may need to build a list of top level domains into pfBlockerNG to do the last part.  You can't just count dots unfortunately, as abc.co.uk has two (but is still a domain), whereas abc.com only has one.

On the crashing point, one way to deal with that is to sort the de-duped list by domain (e.g. invert the character order of each domain string, then sort, then invert back).  Then when you apply the logic in (3), what you'll get is one zone redirect per domain, followed by all the data entries pertaining to that domain - hence no crash.

Just a thought as to how you might do it - I suspect it might be a bit more complicated!

Good luck, and thank you!

Andrew

FOlks, I ws seeing this same exact problem running on an e1000 adapter as well.  I found disabling hardware checksumming in PFSENSE under ->SYSTEM->ADVANCED->NETWORKING stopping all my stream errors.  Its too bad this is an able to be set on an interface by interface basis, as I really only need this on the WAN inetrface, but pfsense is running on beefy hardware and so far everything seems fine performance wise.

This was a really tricky error to find, so I wanted to make sure others that try and run suricata on a virtualized pfsense have an easier time than me fixing it.

Thanks
Mike

I think I found the problem - I forgot to hit save on one of the tabs.  All good now

The problem seems to have been an extra space that got inserted when I copied and pasted my oink code from the snort website.

Here is the solution I found so far :
Install the mailreport package. Then setup a rule to email (daily email), log extract from system with a following filter criteria : snort[

Problem again came up.

Snort is exiting every few minutes on the same fault message.

Jan 31 12:25:45 SnortStartup[32739]: Snort START for WAN(7152_xn0)... Jan 31 12:25:45 snort[33000]: Could not read appName. Line Snort Differs AppKey paltalkfiletransfer -> paltalkfiletran Jan 31 12:25:57 kernel: xn0: promiscuous mode enabled Jan 31 12:29:23 kernel: pid 43186 (snort), uid 0: exited on signal 11 Jan 31 12:29:23 kernel: xn0: promiscuous mode disabled

I'm so fed up, worked for a few days without any problem and now the same sh… again.  :-X

@ajrg:

@ConfusedUser: Have you opened a bounty thread for this? I'll match your 100 USD bounty, if one exists.

No, I didn't start a bounty thread. But I guess Bill knows my offer won't be an empty promise…

Bill,
Do you want me to open a bounty thread for this feature request?

Suricata 3.0 is the new name for what was formerly called Suricata 2.1-BETA.  It is now in Release Candidate stage (currently on RC3).  There is some information posted about it on the Suricata site, but you have to dig around for the finer details.  Nothing really earth-shattering in terms of new features as compared to the 2.0.x Suricata tree.  The biggest bang in Suricata 3.0 comes from the new support for Netmap.  This allows super high speed packet handling with most major NICs (although Netmap support is network card driver dependent, so not every NIC will support it initially).

Suricata 3.0 will be in pfSense 2.3.  Work is currently in progress to convert the GUI to the new Bootstrap code used in pfSense 2.3.  Once that work is complete, a Suricata 3.0RC3 package (or whatever the current version is) will be released for pfSense.

Bill

No, I don't know if it offers offline updates or not.  You can post in the top-level Packages forum and someone there will chime in.

Bill

Wonderful.  Thank you, Bill. That would be very helpful.

Snort 2.9.8.0 will be along soon.  Working on converting the GUI to Bootstrap, and was trying to get that finished before updating the binary.  If the Bootstrap conversion drags out too long, I can post a Pull Request to update the binary to 2.9.8.0.

As for Suricata, it too is being converted to Bootstrap.  One of the pfSense developers is helping with (actually he is doing) the work.  He also has other responsibilities, and the Suricata conversion is a bit behind schedule.  I have tested Suricata 3.0RC3 and it works in pfSense.  The goal is to release the updated GUI along with the new Suricata 3.0RC3 binary (or whatever is current at the time).  We are also planning to provide the long-awaited inline IPS mode with Suricata 3.0 using Netmap.  I have tested it and it works.  We just need to modify the GUI a bit to provide the necessary configuration fields.  Suricata will sport two IPS/IDS modes:  (1) legacy mode using libpcap and the custom blocking plugin (what it uses today); and (2) true inline IPS mode using Netmap.

Bill

Ah, very helpful.  Thank you, fragged.