Snort Updating problems !!!

djnicofun

hello,

I use Pfsense V1.2.3-RC1 , a have install package : Snort : 2.8.6 pkg v. 1.27

i have find a bug , to update the rules the filename of the rules has change since : 10 junes 2010

the file name is now :
snortrules-snapshot-2860.tar.gz

Example for snort 2.8.6.0:
      url = http://www.snort.org/pub-bin/oinkmaster.cgi/XXXXXXXXXXXXXX/snortrules-snapshot-2860.tar.gz

Important Note from SNORT website:
We are changing the way we publish rules. In June 2010 we stopped offering rules in the "snortrules-snapshot-CURRENT" format. Instead, rules are released for specific versions of Snort. You will be responsible for downloading the correct rules release for your version of Snort. The new versioning mechanism will require a four digit version in the file name.

Please James can you update the package ?

Best reagrds

djnicofun

Where is the file : oinkmaster.conf  on pfsense vers: 1.2.21 ??

rnowotny

Please check this post, it is a quick and dirty workaround until the new version is avail :

http://forum.pfsense.org/index.php/topic,26382.msg139375.html#msg139375

@djnicofun:

hello,

I use Pfsense V1.2.3-RC1 , a have install package : Snort : 2.8.6 pkg v. 1.27

i have find a bug , to update the rules the filename of the rules has change since : 10 junes 2010

the file name is now :
snortrules-snapshot-2860.tar.gz

Example for snort 2.8.6.0:
      url = http://www.snort.org/pub-bin/oinkmaster.cgi/XXXXXXXXXXXXXX/snortrules-snapshot-2860.tar.gz

Important Note from SNORT website:
We are changing the way we publish rules. In June 2010 we stopped offering rules in the "snortrules-snapshot-CURRENT" format. Instead, rules are released for specific versions of Snort. You will be responsible for downloading the correct rules release for your version of Snort. The new versioning mechanism will require a four digit version in the file name.

Please James can you update the package ?

Best reagrds

djnicofun

hi,

Ok thanck you, but i have already read this post, i would like know if an official update of this package will be done or not ?

best regards.

jimp

Well they're tricky guys there at Sourcefire. There were a couple things wrong with the rule downloads:

1. The URL changed.
2. They now redirect you to an Amazon s3 URL to get the actual rules
3. The Amazon url is HTTPS.

So I fixed the URL, changed a redirect option, and I had to disable cURL's SSL validation, but now the rules download for me.

The new package version is up now, give it a try and see if it works.

c0urier

Giving it a try now. Will post back soon!

Update:
Seems to be working just fine - Rules updated and Snort running. Thanks jimp!!!

netmethods

I tried it on all 3 of my pfSense boxes and is working fine. Thanks again Jim!

-Jason

DigitalJer

Looking good here!

Many thanks…

A Former User

I uninstalled the old package and installed the new one and updated it no problem did a port scan test and all is working (fingers crossed) . ;D

tester_02

Question for those brave people that updated (no going back) :)
Premium rules or basic rules?

Hoping people have tested both…

LostInIgnorance

I used the subscribed rules and everything is working great over here

DigitalJer

Basic working fine for me.

tester_02

Thanks for the feedback!  I'll give it a whirl…

chowtamah

Thanks Jimp.

Snort now updates and works fine. (with Basic rules)

Guest

The updates are working fine now when I manually click update button, the version info states it is still package v 1.27 when it is actually 1.30.

Also, there is still that issue with rules getting enabled after updates. This is starting to become a pain. I know that this was discussed before and not sure if there is a fix.

I have a lot of rules that need to be disabled in certain categories I have to run, but everytime I get updates, it will enable the rules I disabled. Also it appears that the systems I am running are not getting updates automatically on the set time frame. I have a premium VRT license and currently running 8 PFsense boxes that all have the same issue.

Thanks for any help.

jimp

@darklogic82:

The updates are working fine now when I manually click update button, the version info states it is still package v 1.27 when it is actually 1.30.

Also, there is still that issue with rules getting enabled after updates. This is starting to become a pain. I know that this was discussed before and not sure if there is a fix.

I have a lot of rules that need to be disabled in certain categories I have to run, but everytime I get updates, it will enable the rules I disabled. Also it appears that the systems I am running are not getting updates automatically on the set time frame. I have a premium VRT license and currently running 8 PFsense boxes that all have the same issue.

Thanks for any help.

Those are separate issues from this thread, really. You might start a new thread for each of those issues separately, unless one already exists. I think there may already be some threads out there for the rules getting disabled.

Hopefully the normal package maintainer returns soon and can work on this a bit. I stepped in to fix the updates mentioned in this thread at the request of a commercial support customer, I'd have to spend quite a bit more time looking at the package to even speculate on fixes for the other issues.

Hugovsky

Working good on 2.0. Thanks for the fix jimp.

tehtrk

It works great.  ;D

You da man, JimP

dszp

I will try this soon, thanks JimP! The man who "wrote the book" wrote the snort fix :-) And probably quite a bit of pfSense itself, though I don't know the full extent of his contributions :-)

nocer

thanks jimp, fix that you provided makes my daily update jobs very easy, because I have been fetch/extract/install every single day by hand which is, annoying.

now that my concern is how you can conpromise longer i/f names that looks like 2.0 specific issue which won't snort from starting at the booting, or any other attempt. i tricked some diy for i/f naming but none of those were permanent fix, system will assign a new name, everytime reload the box.

any thoughts and ideas appreciated.

cheers,