See if disabling the stream-events.rules ruleset helps. The web forum had some references about that being incompatible with the pfSense implementation. If memory serves, it's because Snort/Suricata see copies of packets not the actual stream so they are often processed out of order.
When I looked a while back it seemed like Snort and Suricata were similar but Snort was single thread and Suricata could multi-thread. https://github.com/Snorby/snorby/wiki/Snort-vs-Suricata-vs-Sagan http://wiki.aanval.com/wiki/Snort_vs_Suricata -- Steve Yates ITS, Inc. -----Original Message----- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Daniel Eschner Sent: Sunday, June 12, 2016 1:57 PM To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org> Subject: [pfSense] Snort or Suricata Hi there, i installed Snort and let it run with snort Community Rules and ET Rules. I get ton als Fals positiv alters. Maybe is suricata better? What are the difference? It Seems that only the ET rules has no or veryl less fals positivs. Cheers Daniel _______________________________________________ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold _______________________________________________ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold