Snort Updating problems !!!
-
rnowotny
I understand what you are saying on a lot of your post. I agree with most statements on the rules and there are better ways to make sure rules are enabled and disabled after updates. These are all the same issues that others are dealing with. James Dean picked up on the SNORT project when no one else did, he also has contributed endless hours to the programming and online fourms. SNORT is getting better and better. I realize you may mean no harm, but your wording is kind of blunt!!! Different people online are going to take your words differently from others. Statements like posting scripts online so some rookies may use it is not what I would call appropriate commits. The fact that anyone on these forums and using pfsense says to me that hey, no one here is really a rookie.
Take Care,
Matt
-
hello,
I use Pfsense V1.2.3-RC1 , a have install package : Snort : 2.8.6 pkg v. 1.27
i have find a bug , to update the rules the filename of the rules has change since : 10 junes 2010
the file name is now :
snortrules-snapshot-2860.tar.gzExample for snort 2.8.6.0:
url = http://www.snort.org/pub-bin/oinkmaster.cgi/XXXXXXXXXXXXXX/snortrules-snapshot-2860.tar.gzImportant Note from SNORT website:
We are changing the way we publish rules. In June 2010 we stopped offering rules in the "snortrules-snapshot-CURRENT" format. Instead, rules are released for specific versions of Snort. You will be responsible for downloading the correct rules release for your version of Snort. The new versioning mechanism will require a four digit version in the file name.Please James can you update the package ?
Best reagrds
-
Where is the file : oinkmaster.conf on pfsense vers: 1.2.21 ??
-
Please check this post, it is a quick and dirty workaround until the new version is avail :
http://forum.pfsense.org/index.php/topic,26382.msg139375.html#msg139375
hello,
I use Pfsense V1.2.3-RC1 , a have install package : Snort : 2.8.6 pkg v. 1.27
i have find a bug , to update the rules the filename of the rules has change since : 10 junes 2010
the file name is now :
snortrules-snapshot-2860.tar.gzExample for snort 2.8.6.0:
url = http://www.snort.org/pub-bin/oinkmaster.cgi/XXXXXXXXXXXXXX/snortrules-snapshot-2860.tar.gzImportant Note from SNORT website:
We are changing the way we publish rules. In June 2010 we stopped offering rules in the "snortrules-snapshot-CURRENT" format. Instead, rules are released for specific versions of Snort. You will be responsible for downloading the correct rules release for your version of Snort. The new versioning mechanism will require a four digit version in the file name.Please James can you update the package ?
Best reagrds
-
hi,
Ok thanck you, but i have already read this post, i would like know if an official update of this package will be done or not ?
best regards.
-
Well they're tricky guys there at Sourcefire. There were a couple things wrong with the rule downloads:
1. The URL changed.
2. They now redirect you to an Amazon s3 URL to get the actual rules
3. The Amazon url is HTTPS.So I fixed the URL, changed a redirect option, and I had to disable cURL's SSL validation, but now the rules download for me.
The new package version is up now, give it a try and see if it works.
-
Giving it a try now. Will post back soon!
Update:
Seems to be working just fine - Rules updated and Snort running. Thanks jimp!!! -
I tried it on all 3 of my pfSense boxes and is working fine. Thanks again Jim!
-Jason
-
Looking good here!
Many thanks…
-
I uninstalled the old package and installed the new one and updated it no problem did a port scan test and all is working (fingers crossed) . ;D
-
Question for those brave people that updated (no going back) :)
Premium rules or basic rules?Hoping people have tested both…
-
I used the subscribed rules and everything is working great over here
-
Basic working fine for me.
-
Thanks for the feedback! I'll give it a whirl…
-
Thanks Jimp.
Snort now updates and works fine. (with Basic rules)
-
The updates are working fine now when I manually click update button, the version info states it is still package v 1.27 when it is actually 1.30.
Also, there is still that issue with rules getting enabled after updates. This is starting to become a pain. I know that this was discussed before and not sure if there is a fix.
I have a lot of rules that need to be disabled in certain categories I have to run, but everytime I get updates, it will enable the rules I disabled. Also it appears that the systems I am running are not getting updates automatically on the set time frame. I have a premium VRT license and currently running 8 PFsense boxes that all have the same issue.
Thanks for any help.
-
@darklogic82:
The updates are working fine now when I manually click update button, the version info states it is still package v 1.27 when it is actually 1.30.
Also, there is still that issue with rules getting enabled after updates. This is starting to become a pain. I know that this was discussed before and not sure if there is a fix.
I have a lot of rules that need to be disabled in certain categories I have to run, but everytime I get updates, it will enable the rules I disabled. Also it appears that the systems I am running are not getting updates automatically on the set time frame. I have a premium VRT license and currently running 8 PFsense boxes that all have the same issue.
Thanks for any help.
Those are separate issues from this thread, really. You might start a new thread for each of those issues separately, unless one already exists. I think there may already be some threads out there for the rules getting disabled.
Hopefully the normal package maintainer returns soon and can work on this a bit. I stepped in to fix the updates mentioned in this thread at the request of a commercial support customer, I'd have to spend quite a bit more time looking at the package to even speculate on fixes for the other issues.
-
Working good on 2.0. Thanks for the fix jimp.
-
It works great. ;D
You da man, JimP
-
I will try this soon, thanks JimP! The man who "wrote the book" wrote the snort fix :-) And probably quite a bit of pfSense itself, though I don't know the full extent of his contributions :-)