- Use emerging threats rules and VRT:
web-client (VRT, ET)
- ET: TROJAN, MALWARE, USER_AGENTS, WORM, WEB_SERVER, ATTACK_RESPONSE, CURRENT_EVENTS, RBN, COMPROMISED, CIARMY, BOTCNC, WEB_CLIENT etc
- VRT: WEB_CLIENT, SPECIFIC_THREATS, WEB-MISC, WEB-IIS if running IIS, SQL rules if have database, botnet-cnc, blacklist, etc
When snort updated on pfsense VRT are reorganising their rules so things like indicator-obfuscation, file-office, PDF etc all will need enabled but for now not available as PFSENSE currently just went into an unsupported snort version (220.127.116.11) but you will receive new rules for ET. Obviously these rules are dependant on what you are protecting but this would provide the basics for common attacks. instead of the CIARMY, RBN rulesets you could use pfblocker (and block countries you don't think would be accessing your servers normally) and then use the LISTS to add these as text:http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt
(this is dsield, russian business network, botnet CnCs)http://rules.emergingthreats.net/blockrules/compromised-ips.txthttp://rules.emergingthreats.net/blockrules/rbn-malvertisers-ips.txthttp://www.ciarmy.com/list/ci-badguys.txt
Block both inbound and out and set pfblocker to log. Using these you will block a lot of attacks and combined with geoblocking will also block a lot of malware related activity too without it even being able to connect to the suspicious IP. You could also look at threatstop for this but I think most of the IP addresses are duplicated as they get their botnet control server lists and things from shadowserver too.
I would also not enable blocking in snort till you see what would be blocked by mistake and supress it (unfortunately even though you can enabled/disable rules pfsense currently does not remember those changes after an update but I hope this would be sorted by a kind person who knows how :-D).
On your webservers I would also consider (depending on your webserver) looking into modsecurity (install it on the server and tune it) and ossec. Modsecurity is a web application firewall which can detect all sorts of web attacks and ossec monitors and correlates local log files to detect attacks and can then email you and block the host if need be.