Rules Download with Snort 2.9.4.6 pkg v2.6.0 / pfsense 2.1
-
I recently updated to 2.1, followed by an updated to snort. The system is performing smoothly, however rules are not being updated automatically. I tried reinstalling snort with no change. Changing the frequency of the updates 6HRs/12HRs has not effect (still no auto updating).
Manually updating rules works fine.
Automatic rules downloads worked fine under the previous version of pfsense/snort.
Any suggestions for troubleshooting/resolving would be appreciated.
Thanks!
-
Looking at Snort.org it seems like the last Snort VRT rules upgrade is from 26th. I manually hit the update button this morning and there was a update for ET rules. The log suggest that auto updates are working, but there was nothing to update.
What does the update log look like for you?
-
recent log entries are below:
Starting rules update… Time: 2013-09-21 16:05:06
Downloading Snort VRT md5 file...
Checking Snort VRT md5 file...
Snort VRT rules are up to date.
The Rules update has finished. Time: 2013-09-21 16:05:07Starting rules update... Time: 2013-09-24 21:02:14
Downloading Snort VRT md5 file...
Checking Snort VRT md5 file...
There is a new set of Snort VRT rules posted. Downloading...
Done downloading rules file.
Extracting and installing Snort VRT rules...
Using Snort VRT precompiled SO rules for FreeBSD-8-1 ...
Installation of Snort VRT rules completed.
Copying new config and map files...
Updating rules configuration for: WAN ...
Updating rules configuration for: LAN1 ...
Updating rules configuration for: LAN2 ...
Restarting Snort to activate the new set of rules...
Snort has restarted with your new set of rules.
The Rules update has finished. Time: 2013-09-24 21:03:20Starting rules update... Time: 2013-09-26 23:41:14
Downloading Snort VRT md5 file...
Checking Snort VRT md5 file...
There is a new set of Snort VRT rules posted. Downloading...
Done downloading rules file.
Extracting and installing Snort VRT rules...
Using Snort VRT precompiled SO rules for FreeBSD-8-1 ...
Installation of Snort VRT rules completed.
Copying new config and map files...
Updating rules configuration for: WAN ...
Updating rules configuration for: LAN1 ...
Updating rules configuration for: LAN2 ...
Restarting Snort to activate the new set of rules...
Snort has restarted with your new set of rules.
The Rules update has finished. Time: 2013-09-26 23:41:48Starting rules update... Time: 2013-09-28 00:06:01
Downloading Snort VRT md5 file 'snortrules-snapshot-2946.tar.gz.md5'...
Snort VRT md5 download failed.
Server returned error code '504'.
Snort VRT rules will not be updated.
The Rules update has finished. Time: 2013-09-28 00:07:28Starting rules update... Time: 2013-09-28 00:10:05
Downloading Snort VRT md5 file 'snortrules-snapshot-2946.tar.gz.md5'...
Checking Snort VRT md5 file...
Snort VRT rules are up to date.
The Rules update has finished. Time: 2013-09-28 00:10:57Starting rules update... Time: 2013-09-29 00:54:29
Downloading Snort VRT md5 file 'snortrules-snapshot-2946.tar.gz.md5'...
Checking Snort VRT md5 file...
Snort VRT rules are up to date.
The Rules update has finished. Time: 2013-09-29 00:54:30Starting rules update... Time: 2013-09-29 10:35:34
Downloading Snort VRT md5 file 'snortrules-snapshot-2946.tar.gz.md5'...
Checking Snort VRT md5 file...
Snort VRT rules are up to date.
The Rules update has finished. Time: 2013-09-29 10:35:35Starting rules update... Time: 2013-09-30 20:37:54
Downloading Snort VRT md5 file 'snortrules-snapshot-2946.tar.gz.md5'...
Checking Snort VRT md5 file...
Snort VRT rules are up to date.
The Rules update has finished. Time: 2013-09-30 20:37:55
Those were all manual updates. Under the previous snort version, the automatic attempts were showing up as well.
-
There are usually only two updates per week. You can check the actual Snort site to verify. There was a new update posted today (October 1). They generally update on Tuesday and Thursday afternoons.
I have personally found that updates are more reliable if you set the start time to 1:00 AM or later. My suspicion is some backup or maintenance process on the Snort VRT servers frequently interferes with updates too close to midnight.
Bill
-
Thank you Bill. I changed the update time to 0203 and will give it a week to see if the update actually occurs. If not, manual updates are not that much of a burden.
-
Thank you Bill. I changed the update time to 0203 and will give it a week to see if the update actually occurs. If not, manual updates are not that much of a burden.
The auto updates should "just work". The only problem I encountered was back when mine were set for 00:03. That was the old default in the package, and those would fail quite often for me (the Snort VRT updates, that is). That's the main reason I added the option to choose other update start times. Once I moved to something more than an hour past midnight, I have not had another problem.
I don't remember ever having a problem with the Emerging Threats updates.
Bill
-
To close this out (hopefully), the problem resolved itself after a power outage and restart of the pfsense box. Auto downloads appear to be working fine as expected. Thanks!