Snort Updating problems !!!
-
@cdx304:
I figured I'd post this here in case people want to update their definitions manually. I used this post but updated the instructions to the current version.
http://forum.pfsense.org/index.php/topic,15464.msg81197.html#msg811971- Download the rules manually by logging to the shell and type this
fetch http://www.snort.org/pub-bin/oinkmaster.cgi/Oinkcode/snortrules-snapshot-2860.tar.gz
2 - Make temp directory and copy rules
mkdir /tmp/temp
cp snortrules-snapshot-2860.tar.gz /tmp/temp
3- extract the file with this command
tar -zxvf /tmp/temp/snortrules-snapshot-2860.tar.gz
4- Find interface name - it will be in a snort_#_interface format
ls /usr/local/etc/snort/
5- copy rules to rules directory
cp tmp/temp/rules/. /usr/local/etc/snort/interfacename/rules
6- Remove temp directory
rm -r /tmp/temp
7 - Restart Snort. This did it for me on a clean install.Hope this helps someone out.
I tried the copy comand and it does not work for me .Everything else worked .
thanks for the help
I ended up having to use this line instead to copy the files. Worked for me, but only an expert can tell me if I actually did it correctly. Still kinda new to all of this. ;)
cp rules/. /usr/local/etc/snort/interfacename/rules
Thanks again JamesDean for everything!! :D
I tried this method and still does not work I hope this package gets fixed beause running my cisco box is getting real old !!
-
any news?
-
When I discovered last week there were some issues with updating. I was doing everything I could to get SNORT to install updates. I even deinstalled an reinstalled the packaged before I checked the fourms and found that others were having issues as well. I am noticing that SNORT is not releasing blocked IP's after 1 hour, which is what I have it set to release blocked offenders. I never had the issue before until after the uninstall and reinstall of the package. I tried the uninstall and reinstall of the package again and get the same results.
Any ideas on what this is about? Has anyone else notice this or have this issue?
Thanks,
Matt
-
Note to my last post. I am only able to run the emerging threats because I can't get an update or download of the SNORT categories or premium scription rules I pay for through VRT. I know you can manaually update, but I have not really had the time to go through the write up posted to doo it. I am just throwing this out there for what it may be worth.
Thanks,
Matt
-
any news forom James? ???
-
Hey guys,
New to this forum, new to PFSense and even new to Linux, but not a noob.
Thankfully I found this thread, I've got PFSense humming along (together with Squid and Lightsquid, BandwidthD etc) and installed Snort last night. Spent AGES trying to get the rules to auto download.
I was convinced I had stuffed something up myself!I'll keep checking this thread for a solution. Hopefully I don't need to manually go copying things from a shell as I wouldn't have a clue and am likely to bugger something up :)
Anyway, fingers crossed there will be a patch soon!
-
Noticed this problem with rules updates, is there a way to manually copy rules, If I download them to my desktop machine where I should put them under PFsense, just copy the stuff in package in /usr/local/etc/snort/rules ? or something else?
-
… is there a way to manually copy rules
…mentioned earlier in this thread.
http://bit.ly/9c29CI
-
Noticed this problem with rules updates, is there a way to manually copy rules, If I download them to my desktop machine where I should put them under PFsense, just copy the stuff in package in /usr/local/etc/snort/rules ? or something else?
Be ok if that would work for me i would not mind that .But in puddy at the last step says that directory does not exsist .Than what do you do !!!!????
-
The last step, 7, says to restart Snort, but I assume you mean something else ?
-
Can someone tell me what file contains the URL download information? I'd like to run snort but I can't get the update.
-
Can someone tell me what file contains the URL download information?
The URL to the file was mentioned earlier in this thread. Check the link in my post 4 posts up.
-
I know what the proper URL is. I am wondering what file inside my pfsense installation needs to be modified in order to automatically update the rules.
-
If you read the thread from the beginning you will know that it is not a simple matter of just changing a URL. If it was the programmer would have already fixed it. It has to do with the way the updates are coming from the cloud. For right now just sit back, relax, update manually, or just use emerging threats, and wait for the programmer to update. On the note of the how-to I will attempt to actually create one this weekend. Just been a little busy at work. Do I need screenshots too?
-
If you read the thread from the beginning you will know that it is not a simple matter of just changing a URL. If it was the programmer would have already fixed it. It has to do with the way the updates are coming from the cloud. For right now just sit back, relax, update manually, or just use emerging threats, and wait for the programmer to update. On the note of the how-to I will attempt to actually create one this weekend. Just been a little busy at work. Do I need screenshots too?
Well the screen shots would be a good idea .I just have no idea what i am doing for the manual updating not to work .I tried it over ten times and gave up and installed my standby software .
-
I had issues initially with the manual update, telling me when I tried to copy the rules after extraction.
The third go I had at it seemed to work, didn't think I did anything different, however the instructions on the first page do work as I have the SNORT ruleset available.
And a restart was definitely required.Screenies would be cool Rune, I've got mine figured out (the manual update process, not SNORT as it's not working for me yet), but for those who struggle it will be a great help seeing the commands typed out in a screenshot.
(kinda funny as it's all text based so it's a screenshot of text of what you already mentioned) -
Having same problem. Searched and found instructions for manually updating the rules file.
Wrote shell script and set cron job to run script; looks ok so far.
The instructions for manual update (like extracting from the .tar.gz file) came from the forum.Here's the shell script:
#!/bin/sh
cd /var/tmp
fetch -l http://www.snort.org/pub-bin/oinkmaster.cgi/[youroinkmastercodehere]/snortrules-snapshot-2860.tar.gz
tar -zxvf snortrules-snapshot-2860.tar.gz -C /usr/local/etc/snort/ rules/
/usr/local/etc/rc.d/snort.sh reloadNOTES:
- replace the brackets [] and 'youroinkmastercodehere' with your oinkmastercode from snort.org
- make sure the snortrules-snapshot-2860.tar.gz matches your pfsense snort package (Services –> Snort) shows version at top of screen
- save the shell script somewhere on your server and name it snortrules.sh (like /home/scripts/snortrules.sh)
- chmod 755 snortrules.sh to make executable
- set a cronjob to run the script (Ex: 12:05 daily 5 0 * * * /home/scripts/snortrules.sh)
This is a quick-and-dirty script; feel free to modify it. I don't know if you need to remove the old rules before the new ones are extracted to the rules directory; right now, I'm just overwriting them. You could have the script copy the rules to a backup directory name with the backup date, in case the new rules break anything. You could also have the cronjob or script dump to a log file to inspect results afterward.
-
The information below is only tested for Snort 2.8.6 pkg v. 1.27 on Pfsense 1.2.3-RELEASE
The script below is downloading the rules to /usr/local/etc/snort/rules , but the updates also needed to be copied
into the rules subdirectory for each interface.
This is, because snort is keeping a ruleset for each interface snort is running on.
If You look at /usr/local/etc/snort You should find some directories like :
snort_59369_le1 or something like that. Inside that directory, there is another rules directory -
and those rules are actually used for that particular interface.So - please find the new Shellscript below …
Here's the shell script:
#!/bin/sh
cd /var/tmpget the update
fetch -l http://www.snort.org/pub-bin/oinkmaster.cgi/[youroinkmastercodehere]/snortrules-snapshot-2860.tar.gz
unpack the update
tar -zxvf snortrules-snapshot-2860.tar.gz -C /usr/local/etc/snort/ rules/
copy the rules to each interface snort is using
cp /usr/local/etc/snort/rules/. /usr/local/etc/snort/[yourinterface1directory]/rules/
#cp /usr/local/etc/snort/rules/. /usr/local/etc/snort/[yourinterface2directory]/rules/
#cp /usr/local/etc/snort/rules/. /usr/local/etc/snort/[yourinterface3directory]/rules/repeat that for each interface You are using
reload snort to use the new rules
/usr/local/etc/rc.d/snort.sh reload
END
NOTES:
- replace the brackets [] and 'youroinkmastercodehere' with your oinkmastercode from snort.org
- replace the [yourinterface<n>directory] with the directories for each of Your interfaces using snort.
You may find it like that :
cd /usr/local/etc/snort
ls -l
there should be one directory for each interface snort is used with, the name is something like snort_59369_le1 - make sure the snortrules-snapshot-2860.tar.gz matches your pfsense snort package (Services –> Snort) shows version at top of screen
- save the shell script somewhere on your server and name it snortrules.sh (like /home/scripts/snortrules.sh)
- chmod 755 snortrules.sh to make executable
- set a cronjob to run the script (Ex: 12:05 daily 5 0 * * * /home/scripts/snortrules.sh)
You may set the crontab with crontab -e what will invoke vi
for those who are not familiar with the vi editor, You may edit crontab like that :
ee /etc/crontab
You may find some information how to make crontab entries on the web. - please be noted that all Your changes to the old Rule Files (Enabling/Disabling a single SID) are lost !
best regards from Vienna, Austria
Ing. Robert Nowotny
Rotek GmbH</n> -
Dear James,
I understand completely - but why dont just release a quick patch -
You may create a shellscript on the fly and use it to download the updates out of Your php scripts.
I guess that would be very easy and dont leave Your less experienced users out in the rain with that update mess.
and after time passes by You can release Your new, shiny version …yours sincerely
and greetings from Vienna / Austria
Ing. Robert Nowotny
Rotek GmbHI wish it was as easy as pointing to a url.
url = http://www.snort.org/pub-bin/oinkmaster.cgi/<oinkcode here="">/ <filename>The file you get from that url you posted redirects to a https server.
Users on the snort.org mail-lists are having trouble with that redirect.
Suggested fix is to install a perl mod that understands https.
I am trying to avoid using Oinkmaster perl script.I'm trying to do this in pure php script.
While I am hear might as well rewrite the whole "update tab" to include snort GUI updates to.
I been wanting to do this for a long time, I guess this is a good thing for us.James</filename></oinkcode>
-
Dear James,
beeing a newbie in pfsense and snort (but not a newbie in scripting) i am a bit disappointed about the update procedures on snort rules.
I have not seen Your updatescript in action, because it is broken since some weeks now, but I think it simply overwrites the old rules, right ?
So, changes that the user have made (enable / disable some rules by SID) are lost. Right ?This is not very practical - guess I want to use (and update) the emerging.policy-rules, but i want to use Skype -
in that case I would need to disable the SID´s for Skype after every Update …I guess it would be easy to check if one particular rule is ON/OFF in the current rulefile, before updating to the new rule file, and transfer that state to the new rulefile. After that You might check the new rulefile for new / deleted / changed rules and put that to the update logfile.
Maybe You can consider a better method in new versions, You may get some ideas from the pulledpork project http://code.google.com/p/pulledpork/ what offers more functionality then the oinkmaster original code.
on the wishlist would be :
- the Rules (by IDS) Enabled/Disabled state should be preserved on updates
- Automatic rule downloads using Oinkcode (of course)
- MD5 verification prior to downloading new rulesets (do not download if nothing has changed … )
- Full handling of Shared Object (SO) rules
- Generation of so_rule stub files
- Update Log File should indicate : New Rules / Deleted Rules / Changed Rules
If I find some time I might write some shellscripts to realize SOME of that functionality and share it.
Yours sincerely
Ing. Robert Nowotny
Rotek GmbH
Vienna / Austria