can't update rules suricata

NollipfSense

@ezvink Why are you using pfSense 2.5 and not 2.6version?

ezvink

@nollipfsense does it affect?

ezvink

@bmeeks please help me sir

SteveITS

@ezvink Is DNS working in Diagnostics/DNS Lookup? Have you tried restarting the DNS Resolver service, or your router?

bmeeks

@ezvink said in can't update rules suricata:

@bmeeks please help me sir

Uncheck "Use a custom URL for ETOpen downloads". That is not generally required. That option is only for those users who maintain their own custom rules repository.

You have a conflict enabled. You have two settings attempting to download the same rules from the same place. You have checked the box to download the ET Open rules (which is correct), but then you also checked to use a custom URL for the same rules. Why?

Secondly, as I mentioned way back up in my original reply to this thread, your DNS setup appears to be incorrect as curl on pfSense is not able to resolve the IP address for the hostname of the rules archive. It states in the error log that the name resolution timed out.

ezvink

@bmeeks i followed the tutorial for suricata installation that is on youtube if the tutorial is wrong, do you have the correct tutorial?

ezvink

I'm sorry, my friend, I don't really understand how to install Suricata, I just used Suricata when I had my final college assignment related to Suricata, I only know tutorials on YouTube, the rest I don't know. so does anyone have a link for the correct tutorial for installing suricata on pfsense?

ezvink

please help me sir,
My final trial is 2 months away

bmeeks

@ezvink said in can't update rules suricata:

I'm sorry, my friend, I don't really understand how to install Suricata, I just used Suricata when I had my final college assignment related to Suricata, I only know tutorials on YouTube, the rest I don't know. so does anyone have a link for the correct tutorial for installing suricata on pfsense?

I don't know of any specific YouTube tutorials for configuring Suricata on pfSense. I am sure there may be some out there, but how accurate they are in terms of factual steps and information I have no idea.

There is some official pfSense documentation for the Snort package here: https://docs.netgate.com/pfsense/en/latest/packages/snort/setup.html. If you simply need to study an IDS/IPS package, maybe Snort will work instead of Suricata.

bmeeks

@ezvink said in can't update rules suricata:

please help me sir,
My final trial is 2 months away

I'm sorry, but I am not going to do your school assignment for you. And I do not offer one-on-one consultation. You have asked this here and in PMs, and I have given you the same reply in both places. Post specific questions here on the open forum and I or others will try to answer them.

The idea of going to school and having project assignments from your instructors is to have you research and "learn" how the subject of the assignment works. It does absolutely nothing for you in the long-term to beg some expert in the field to do your work for you so you can turn it in as your own. You learn nothing in that process.

I was an instructor in a technical field for 14 years. I'm sure your instructor would be willing to help you learn about Suricata. That is the point of the class I presume. The point of the class is not to see who can find some random person on the Internet to do their work for them.

ezvink

@bmeeks
I'm not asking you to do my job, I'm just asking you to help because I'm having trouble completing my assignment, sorry if you have the wrong perception about me but I'm only asking you for help because what I see you help a lot of people on this forum

ezvink

@bmeeks my job is to compare between snort and suricata itself, therefore i have to install both sir. I'm confused because even the lecturer doesn't know why the package from Suricata can't be installed.

bmeeks

@ezvink said in can't update rules suricata:

@bmeeks
I'm not asking you to do my job, I'm just asking you to help because I'm having trouble completing my assignment, sorry if you have the wrong perception about me but I'm only asking you for help because what I see you help a lot of people on this forum

Okay, but then quit referencing when your project is due. That makes me think all you are wanting is for me to complete your project for you.

I will be glad to help you to the extent I can here on the open forum with solving your installation issue. But I just do not offer one-on-one private consulting. With over 20,000 users of Snort and Suricata on pfSense around the world, I would never get any rest.

bmeeks

@ezvink said in can't update rules suricata:

@bmeeks my job is to compare between snort and suricata itself, therefore i have to install both sir. I'm confused because even the lecturer doesn't know why the package from Suricata can't be installed.

Let's go back to the beginning. Your first post had a log entry, and that log entry indicated DNS issues resolving the Emerging Threats Open URL.

So let's start by going to the GLOBAL SETTINGS tab and unchecking the "Use a custom URL for ETOpen rules" checkbox and saving that change. Do check the the box to the left of that one that says "ETOpen is a free open source set of ....".

Now go to the UPDATES tab and force an update. If that is not successful, then post back here the output of the log as you did in the very first post above. We can proceed from there.

The base URL is this: rules.emergingthreats.net. Make sure that URL resolves for you to an IP address. You can test this on the DIAGNOSTICS > DNS LOOKUP tab on pfSense. If that does not come back with two or more IP addresses, then you must figure out what is wrong with your DNS configuration, because that must work properly in order for Suricata to find and download the rules packages.

Go back and look at the rules update log messages you posted on April 28. Notice that in two places in that log this message is printed:

...Resolving timed out after 10014 milliseconds
...Resolving timed out after 10020 milliseconds

Those messages strongly indicate to me that either DNS is not working, or the pfSense machine you are testing on did not have Internet access at the time.

ezvink

this is the result, sir, it still fails

ezvink

@bmeeks

this is the display of the diagnostic dns lookup sir, there are 2 IP that appear

bmeeks

You are still having DNS issues. Notice in the update log snippet it says it waited over 10,000 milliseconds for a response and timed out. That means it waited 10 seconds for DNS to resolve the URL to an IP, then it timed out and gave up. So without DNS working correctly, you can't download rules.

Your DNS Lookup result:
@ezvink said in can't update rules suricata:

Examine the output from the DNS Lookup screen from DIAGNOSTIC > DNS LOOKUP:

Notice that the lookup first went to 127.0.0.1 (which would typically be unbound running on the firewall itself), and that lookup timed out. The Query Time column says "No response".

What is that second IP listed in your screenshot (the 192.168.18.1)? It resolved in 46 mSecs.

Here is the same command when run from my firewall:

Notice that only a single Name Server was tried on my system, 127.0.0.1. That's what I would expect to have happened on your system as well. That loopback address represents the local DNS Resolver service on my firewall.

What do you have under SYSTEM > GENERAL SETUP in the DNS Settings section? This is what a typical out-of-the-box default setup should look like:

I would normally expect the curl utility that is used by the Suricata package to download rules packages to wait long enough for that second DNS lookup to succeed. But maybe not ?? That's something under the control of that utility. All the Suricata package does is use the PHP system calls to download the file from the URL. The DNS configuration on your firewall is not optimized. The firewall is first trying to ask the local unbound service (or possibly dnsmasq if you are using the DNS Forwarder instead of the DNS Resolver) for the lookup, and that lookup is timing out. Then it tried that 192.168.18.1 IP and that one worked. Maybe by then the PHP curl process had given up, though.

ezvink

@bmeeks Then what should I do, sir?

bmeeks

@ezvink said in can't update rules suricata:

@bmeeks Then what should I do, sir?

Troubleshoot your DNS. That's where your problem is. You need to determine why 127.0.0.1 is returning "No response" when querying.

That's the best I can offer you for now. This is not a Suricata problem. It is a DNS resolution/configuration problem on your firewall. Examine the system log and see if unbound is displaying any errors, or if it is frequently restarting, or not running at all.

For starters, return all the DNS configuration on the firewall to its defaults. Or even better, reinstall pfSense from scratch and DO NOT change any of the defaults related to DNS -- nothing. Do not put any IP addresses in any text box anywhere related to DNS settings. In that setup, unbound will auto-start when the firewall boots and it will operate as a resolver. That's what you want. Something you changed on your firewall has caused DNS lookups to malfunction/timeout. You need to find out what that is and correct it.

SteveITS

@ezvink ASI wrote above, “Have you tried restarting the DNS Resolver service, or your router?”