Hmm maybe something to do with not being able to use that much RAM if it is 32 bit or some other weirdness. Did you install snort before or after you upgraded RAM? Also did you install pfsense before or after you upgraded RAM too?

I am not sure what the issue is because it doesn't sound like a config issue. If this is production - especially if you are publishing important servers you are best keeping things as simple as possible on the box so there is less to go wrong and then if need be split out your intrusion detection with Snort or Suricata onto another box with a mirrored port. Sure you won't block unless you put it inline but you can log all you want and if you have disk space do a full packet capture for as much disk space as you have. Keeping snort seperate will allow better control, better performance and also allow you to extract more information.

Went back to 2GB on the same VM and Snort works no issues.....

This is driving mw crazy! I firmly believe that its time to go back to basics regarding Pfsense.

Its like its over their head in this.....one little mod, and it breaks 10 other things....

Oh and can you run the following commands and put the output in a post please?

# Run this and when it errors and stops paste in the last few lines that show the reason
snort -i YOUR_INTERFACE -c /usr/local/etc/snort/snort_YOUR_FOLDER_FOR_INTERFACE/snort.conf -A console

# To show the snort version.
snort -V

# Also can you attach the snort.conf file that will be autogenerated and go here (there shouldn't be anything  too specific to your enviroment I don't think but before you upload it serach for var $HOME_NET and change everything to say OMMITED so we know they have been removed instead of the list of IPs and also do the same for another other IPs you may have entered for these variables in the variables tab in the GUI:
/usr/local/etc/snort/snort_YOUR_FOLDER_FOR_INTERFACE/snort.conf#

Thanks,
Kevin

Never seen this or even a custom.rules. Are you using the main snort in the package list or the development version? Also have a look at your rule options in the GUI and see if a custom.rules exists and if it does untick it. Another thing is to make sure in the pre-processor tab you have everything enabled aside from performance and portscan one due to false positives (The sensitive data may not interest you either unless you are protecting databases of credit card numbers although I think you can do more with it).

You don't want to go back to TMG as unfortunately it is a dead product (as in you can't buy it apparently after the start of December 2012 (although I haven't tried to).  Makes a decent reverse proxy though if you have other firewalls in the way. If you are looking at having pfsense as a reverse proxy consider using pfblocker to block inbound traffic from countries you do not think would likely access your published servers; you could also set it to create the alias only and then make your own firewall rules to say for instance block all traffic from Eastern europe to these servers (in another alias) and so on.

Also try the apache & modsecurity package to get a web application firewall although I have not used it (typically when I have used modsecurity it has gone on the server with various rules to protect against web application attacks) but you might want to give it a try.

Oh and a few more IP lists I use on mine; there likely will be some IPs or ranges duplicated between them but they are good to use:
http://www.malwaredomainlist.com/hostslist/ip.txt
# Spyware
http://list.iblocklist.com/?list=bt_spyware&fileformat=cidr&archiveformat=gz

snort[44549]: FATAL ERROR: /usr/local/etc/snort/snort_25199_em0/rules/custom.rules(2) Duplicate rule with same gid (1) and no sid. To avoid this, make sure all of your rules define an sid.

The problem is, that I dont have any custom rules at all!!

I am going out of my fucking mind here.....I need a guy to monitor this one FW all day....to make sure its running and working. I upgraded the memory in the VM to 4GB and it all went berserk.....

I am so fucking fed up with this shit that I just want to go back to my TMG and just use this a a frontend with port forwards...

It doesnt seem to be up for the job at the moment. "¤%&%¤#¤%&#¤%&!!!!!!!!!!

Oh and in pfblocker you will be much better protected against malware and malicious activity to use countryblocking. Depending on where you are block countries you don't expect to see traffic; especially areas where there may be cybercrime. For instance for me it was safe to block south america, most of eastern europe, Russia, China and most of asia as well as Africa and other countries (pretty much everything actually not western europe, Canada and US with no issue).

There can be a few sites and things you may do which needs higher access but at home I can just add my PC into a higher rule or allow access to particular IPs in firewall as needed (keeping in mind when pfblocker updates it goes above any other rules).

In GUI don't use malware-cnc, malware-other, malware-pup etc although the blacklist rules and CNC rules are fine in pfsense for the VRT rules as I think they have introduced rule options which do not have the preprocessor configuring correctly although I have not looked into it in much depth. To make sure you are covered however use emergingthreats rule, especially emerging-malware, emerging-trojan, emerging-worm and emerging-current_events.

You can also use emerging-botcc, emerging-rbn etc although using pfblocking lists with the following IP lists blocking inbound and outbound traffic will accomplish this much better and you won't need to waste cycles for snort just to check IPs.

# Has shadowserver botnet cncs, Russian business network, dshield etc.
http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt

# Compromised hosts potentially being used for bad stuff
http://rules.emergingthreats.net/blockrules/compromised-ips.txt

And other useful ones for pfblocker:
http://www.ciarmy.com/list/ci-badguys.txt
https://zeustracker.abuse.ch/blocklist.php?download=ipblocklist
https://spyeyetracker.abuse.ch/blocklist.php?download=ipblocklist
http://malc0de.com/bl/IP_Blacklist.txt

There are others but this should have you well covered and if you use pfblocker on dashboard you can see hits for the IP

Always have the firewall and pfblocker on dashboard so you can see blocked hits and also if any of them are hitting for legitimate sites but keep an eye on connections from machines in case of infection as if connection can't establish to CnC snort rules that may exist won't highlight it but obviously it is best to cut off all communication with the bad guys.

Hope that helps.
Kind Regards,
Kevin

Use unified2 and barnyard in Snort package to write it off to an external database and use snorby (snorby.org) to email you reports.

Do you have a PCAP you can share of the traffic? If the source is "good" then it is likely a false positive though.

So it could simply be that someone on my LAN is trying to use IPv6 services?

Hi,

First of all thanks for updating the package and the great job of providing this functionality.

For reference this is the Snort version installed:

   ,,_     -*> Snort! <*-
  o"  )~   Version 2.9.2.3 IPv6 GRE (Build 205) FreeBSD
   ''''    By Martin Roesch & The Snort Team: http://www.snort.org/snort/snort-team
           Copyright (C) 1998-2012 Sourcefire, Inc., et al.
           Using libpcap version 1.1.1
           Using PCRE version: 8.30 2012-02-04
           Using ZLIB version: 1.2.3

1) It isn't updating the latest snort rules even with a subscription oinkcode. I am not sure where the pulledpork/oinkmaster configuration file is but I think you need to point it at the 2.9.2.3 rules. New rules and new rules files such as INDICATION_OBFUSCATION by VRT are not available.

2) Javascript deobfuscation (deobfuscation) should be enabled in the HTTP preprocessor. Not really an issue but something worth while doing as it helps to remove obfuscation layers on potential web client/malware type attacks: http://blog.snort.org/2012/01/snort-2920-javascript-normalization.html. It is just a normalize_javascript added to the HTTP preprocessor as shown in the previous blog yet the returns are so great.

3) ERROR: ByteExtract variable '^Authorization\x3A\s*Basic[ \t]+' in rule [3:13308] is used before it is defined.
Fatal Error, Quitting..

I don't even have this rule enabled yet it appears to be causing issues loading the shared object rules (in fact I have disabled all shared object rules: WEB-MISC Apache HTTP server auth_ldap logging function format string vulnerability

include $RULE_PATH/emerging-attack_response.rules
include $RULE_PATH/emerging-current_events.rules
include $RULE_PATH/emerging-info.rules
include $RULE_PATH/emerging-malware.rules
include $RULE_PATH/emerging-netbios.rules
include $RULE_PATH/emerging-scan.rules
include $RULE_PATH/emerging-shellcode.rules
include $RULE_PATH/emerging-trojan.rules
include $RULE_PATH/emerging-user_agents.rules
include $RULE_PATH/emerging-web_client.rules
include $RULE_PATH/emerging-worm.rules
include $RULE_PATH/snort_attack-responses.rules
include $RULE_PATH/snort_backdoor.rules
include $RULE_PATH/snort_bad-traffic.rules
include $RULE_PATH/snort_blacklist.rules
include $RULE_PATH/snort_botnet-cnc.rules
include $RULE_PATH/snort_exploit.rules
include $RULE_PATH/snort_file-identify.rules
include $RULE_PATH/snort_netbios.rules
include $RULE_PATH/snort_rpc.rules
include $RULE_PATH/snort_rservices.rules
include $RULE_PATH/snort_specific-threats.rules
include $RULE_PATH/snort_spyware-put.rules
include $RULE_PATH/snort_web-activex.rules
include $RULE_PATH/snort_web-client.rules
include $RULE_PATH/snort_x11.rules

Thank you again for providing this pfsense package.

Kindest Regards,
Kevin Ross

Snort VRT updates will not currently work until the pfsense snort package is updated from 2.9.0.5 as it is end of life which means no more new rules. Try using the ET ones only and see how you get on. You may be able to download older rules.

Is there a help section for first-time Snort users?  I am using (embedded) 2.0.1-RELEASE (amd64) of PfSense.  I installed the Snort package and obtained and inserted the Oink Code but my rules won't update.  The Snort code registration says something about going to urls to register/configure but I don't know the correct PfSense filename to insert.  The only PfSense "tutorial" I have found on Snort is not really a tutorial (it is just Snort screen snapshots) and shows an out-of-date version of Snort.

Oh and on these lists always set to log just like any countries you block. This makes it easier to identify blocked badness but also determine if something isn't working because of a blocklist (i.e I couldn't get to cuckoobox.org because site was in a country I had blocked at the time and I saw in logs blocked Syn packets trying to get to it).

I also use the following and they seem fine:

http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt (this blocks known russian business network, shadowserver command and control servers, dhsield and spamhaus.
http://rules.emergingthreats.net/blockrules/compromised-ips.txt (compromised hosts doing nastiness)

If you choose one try the top one. Static blacklists are useful but many setups moving towards a more scored reputation rating for domains, IPs etc.

http://www.damballa.com/downloads/r_pubs/WP_Blacklists_Dynamic_Reputation.pdf
http://www.damballa.com/solutions/damballa_firstalert.php

Here are the Malware Lists that I've found to be safe to use.
(This is after testing a ½doz other lists that would blacklist urls for stupid reasons.)

I put the addresses in pfBlocker list section and let them update hourly. You may prefer less freq updates.

This one is from Malware Domain List. I began testing it in February against known 0day threats.
At this point I have a lot of confidence in it.
http://www.malwaredomainlist.com/hostslist/ip.txt

I also have two botnet lists that I've been running for a month or so.
http://www.abuse.ch/zeustracker/blocklist.php?download=ipblocklist
https://spyeyetracker.abuse.ch/blocklist.php?download=ipblocklist

There are other lists I'm evaluating but am not comfortable releasing them as yet.

Snort on pfsense is currently 2.9.0.5 which is now end of life. You will still get emergingthreats rules but until someone updates the snort package to ideally 2.9.2.2 you won't receive any new VRT rules I am afraid.

You can use the supress tab to filter the alerts and I would disable the ET-DROP, ET-TOR rules etc. You could use pfblocker and lists like emerging-blocklist and compromised etc .txt files in emergingthreats (firewall and block rules). You could set these to block outbound, inbound or both. Install pfblocker and enable these in the lists as .txt:

http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt (this is dsield, russian business network, botnet CnCs)
http://rules.emergingthreats.net/blockrules/compromised-ips.txt
http://rules.emergingthreats.net/blockrules/rbn-malvertisers-ips.txt
http://www.ciarmy.com/list/ci-badguys.txt

- Use emerging threats rules and VRT:
web-client (VRT, ET)
- ET: TROJAN, MALWARE, USER_AGENTS, WORM, WEB_SERVER, ATTACK_RESPONSE, CURRENT_EVENTS, RBN, COMPROMISED, CIARMY, BOTCNC, WEB_CLIENT etc
- VRT: WEB_CLIENT, SPECIFIC_THREATS, WEB-MISC, WEB-IIS if running IIS, SQL rules if have database, botnet-cnc, blacklist, etc

When snort updated on pfsense VRT are reorganising their rules so things like indicator-obfuscation, file-office, PDF etc all will need enabled but for now not available as PFSENSE currently just went into an unsupported snort version (2.9.0.5) but you will receive new rules for ET. Obviously these rules are dependant on what you are protecting but this would provide the basics for common attacks. instead of the CIARMY, RBN rulesets you could use pfblocker (and block countries you don't think would be accessing your servers normally) and then use the LISTS to add these as text:

http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt (this is dsield, russian business network, botnet CnCs)
http://rules.emergingthreats.net/blockrules/compromised-ips.txt
http://rules.emergingthreats.net/blockrules/rbn-malvertisers-ips.txt
http://www.ciarmy.com/list/ci-badguys.txt

Block both inbound and out and set pfblocker to log. Using these you will block a lot of attacks and combined with geoblocking will also block a lot of malware related activity too without it even being able to connect to the suspicious IP. You could also look at threatstop for this but I think most of the IP addresses are duplicated as they get their botnet control server lists and things from shadowserver too.

I would also not enable blocking in snort till you see what would be blocked by mistake and supress it (unfortunately even though you can enabled/disable rules pfsense currently does not remember those changes after an update but I hope this would be sorted by a kind person who knows how :-D).

On your webservers I would also consider (depending on your webserver) looking into modsecurity (install it on the server and tune it) and ossec. Modsecurity is a web application firewall which can detect all sorts of web attacks and ossec monitors and correlates local log files to detect attacks and can then email you and block the host if need be.

Regards,
Kev

FYI As you can see in today's update http://www.snort.org/vrt/docs/ruleset_changelogs/changes-2012-03-27.html there is now no snort 2.9.0.5 updates as it is end of life. Would it be possible to update snort to 2.9.2.2 or something supported? If so could there is other preprocessors to look at but also in http_inspect preprocessor there is now JavaScript deobfuscation. :-D

Thanks.
Kindest Regards,
Kevin