Snort Rules Update weirdness
-
Mar 27 12:05:08 php: : The Rules update has finished... Mar 27 12:05:08 php: : Snort has restarted with your new set of rules... Mar 27 12:04:46 SnortStartup[36341]: Snort SOFT START For WAN(3663_em0)... Mar 27 12:04:42 php: : Checking for and disabling any rules dependent upon disabled preprocessors for WAN... Mar 27 12:04:41 php: : Updating rules configuration for: WAN ... Mar 27 12:04:41 php: : Emergingthreats rules file update downloaded succsesfully Mar 27 12:04:40 php: : There is a new set of Emergingthreats rules posted. Downloading... Mar 27 12:04:39 php: : Please wait... You may only check for New Rules every 15 minutes... Mar 27 12:04:39 php: : Snort MD5 Attempts: 2 Mar 27 12:03:47 php: : The Rules update has finished... Mar 27 12:03:47 php: : Emerging threat rules are up to date... Mar 27 12:03:47 php: : Snort rules are up to date... Mar 27 12:03:47 php: : Snort MD5 Attempts: 1I am running both Snort rules and Emergingthreats rules.
It looks like the ET rules are being updated twice, but on the first attempt they are up to date, on the second attempt it downloads a new set of rules. -
It almost looks like you have two colliding cron jobs. There is supposed to be only a single cron job to update the rules (set by the GUI and the update interval you choose).
Can you post the contents of the file /etc/crontab from your firewall? It should look something like the one below:
# pfSense specific crontab entries # Created: March 26, 2013, 4:24 pm # 0 * * * * root /usr/bin/nice -n20 newsyslog 1,31 0-5 * * * root /usr/bin/nice -n20 adjkerntz -a 1 3 1 * * root /usr/bin/nice -n20 /etc/rc.update_bogons.sh */60 * * * * root /usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 3600 sshlockout 1 1 * * * root /usr/bin/nice -n20 /etc/rc.dyndns.update */60 * * * * root /usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 3600 virusprot */5 * * * * root /etc/ping_hosts.sh */140 * * * * root /usr/local/sbin/reset_slbd.sh 30 12 * * * root /usr/bin/nice -n20 /etc/rc.update_urltables 3 */12 * * * root /usr/bin/nice -n20 /usr/local/bin/php -f /usr/local/pkg/snort/snort_check_for_rule_updates.php >> /tmp/snort_update.log */5 * * * * root /usr/bin/nice -n20 /usr/local/bin/php -f /usr/local/pkg/snort/snort_check_cron_misc.inc */5 * * * * root /usr/bin/nice -n20 /usr/local/sbin/expiretable -t 3600 snort2c #Bill
-
SHELL=/bin/sh PATH=/etc:/bin:/sbin:/usr/bin:/usr/sbin HOME=/var/log #minute hour mday month wday who command # # # pfSense specific crontab entries # Created: March 27, 2013, 2:54 pm # 0 * * * * root /usr/bin/nice -n20 newsyslog 1,31 0-5 * * * root /usr/bin/nice -n20 adjkerntz -a 1 3 1 * * root /usr/bin/nice -n20 /etc/rc.update_bogons.sh */60 * * * * root /usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 3600 sshlockout 1 1 * * * root /usr/bin/nice -n20 /etc/rc.dyndns.update */60 * * * * root /usr/bin/nice -n20 /usr/local/sbin/expiretable -v -t 3600 virusprot 30 12 * * * root /usr/bin/nice -n20 /etc/rc.update_urltables 0 0 * * * root /bin/rm /var/squid/cache/swap.state; /usr/local/sbin/squid -k rotate */15 * * * * root /usr/local/pkg/swapstate_check.php */5 * * * * root /usr/bin/nice -n20 /usr/local/bin/php -f /usr/local/pkg/snort/snort_check_cron_misc.inc */10 * * * * root /usr/bin/perl /usr/local/www/lightsquid/lightparser.pl today 15 0 * * * root /usr/bin/perl /usr/local/www/lightsquid/lightparser.pl yesterday 3 */6 * * * root /usr/bin/nice -n20 /usr/local/bin/php -f /usr/local/pkg/snort/snort_check_for_rule_updates.php >> /tmp/snort_update.log */30 * * * * root /usr/bin/nice -n20 /usr/local/sbin/expiretable -t 21600 snort2c 0 * * * * root /usr/local/bin/php -q /usr/local/www/pfblocker.php cron # # If possible do not add items to this file manually. # If you do so, this file must be terminated with a blank line (e.g. new line) # -
Well, your crontab file looks OK. Was wondering if perhaps the snort rules update was listed twice, but it's not.
Next theory is maybe an orphaned Snort process out there (or even stranger, an orphaned cron job). Can you reboot the firewall in question? If not, what about stopping Snort on all interfaces, then examine the running processes and make sure no snort-related stuff is running. Then restart Snort.
The log entry you posted earlier sure makes it seem as if two or more Snort rule updates are trying to run simultaneously.
-
I disabled the snort rules, now I am only running the ET rules.
My log looks fixed:Mar 29 00:03:31 php: : The Rules update has finished... Mar 29 00:03:31 php: : Snort has restarted with your new set of rules... Mar 29 00:03:09 SnortStartup[15147]: Snort SOFT START For WAN(3663_em0)... Mar 29 00:03:08 php: : Checking for and disabling any rules dependent upon disabled preprocessors for WAN... Mar 29 00:03:08 php: : Updating rules configuration for: WAN ... Mar 29 00:03:07 php: : Emergingthreats rules file update downloaded succsesfully Mar 29 00:03:04 php: : There is a new set of Emergingthreats rules posted. Downloading...Maybe there is something wrong with running both Snort and ET rules at the same time….
-
Maybe there is something wrong with running both Snort and ET rules at the same time….
No there shouldn't be a problem, I run both sets in my production system. I run different sets on different interfaces. My updates happen without any problems. If you have not yet, a reboot of that box might help.
I'm still doing quite a bit of testing various scenarios with the newest Snort package in a virtual machine environment. I have found a few quirks in the PHP code that I am cleaning up and improving. Hope to have a GUI code update to submit this weekend. One area where I made some changes is in the rules update code (but nothing that I expect would definitely cause or correct the issue you see – still, it might help).
Bill
