Snort VRT Rules not updating

cciechad

I found something else strange. If you go into the packages and click on the link for snort it takes you here

https://github.com/pfsense/FreeBSD-ports/commits/devel/security/pfSense-pkg-snort

According to that snort has been updated to 2.9.8.3 which is a supported version.

Bump Snort GUI package to 3.2.9.1_14 for bug fixes and 2.9.8.3 binary…
bmeeks8 committed 14 hours ago

Unfortunately that GIT update appears to be invalid as I've tried to update a half a dozen times and it's not pulling down snort 2.9.8.3

[2.3.1-RELEASE][admin@chadhome.cox.net]/root: pkg update
Updating pfSense-core repository catalogue…
pfSense-core repository is up-to-date.
Updating pfSense repository catalogue...
pfSense repository is up-to-date.
All repositories are up-to-date.
[2.3.1-RELEASE][admin@chadhome.cox.net]/root: pkg upgrade
Updating pfSense-core repository catalogue…
pfSense-core repository is up-to-date.
Updating pfSense repository catalogue...
pfSense repository is up-to-date.
All repositories are up-to-date.
Checking for upgrades (0 candidates): 100%
Processing candidates (0 candidates): 100%
Checking integrity... done (0 conflicting)
Your packages are up to date.

battles

@cciechad:

I pay for the Snort VRT rules. Unfortunately that doesn't matter as PFSense's version is currently unsupported(not sure why we're on such an old non supported version) so even with a paid Oink code your updates will fail as the VRT team is no longer compiling rules for this version.

That is what I was suspicious of.  As popular as pfSense is, it doesn't make sense that there are no longer any VTR rules produced for it.  Is there anything else I can use to get important needed VTR like rules for pfSense?  I have heard about PulledPork, but I can't figure out what it is about.  Possibly another good snort like system?

cciechad

Pulled pork is just for automated rule management it doesn't provide any rules on its own. Possibly the ETOpen rules might still work(not sure). At this point it looks like there is an update to the supported version in GIT. Not sure when its going to hit wherever the package list the routers get but hopefully it will be pretty soon.

Chad

battles

Found this https://github.com/snortadmin/snort3/blob/master/README.md

Not sure how to load these rules.

cciechad

Those aren't rules. That appears to be some alpha fork of the snort 2.9 code base.

cciechad

FYI This is a known issue over in the IPS/IDS subforum.

https://forum.pfsense.org/index.php?topic=114449.msg636406#msg636406

bmeeks

The updated 2.9.8.3 package was submitted late Friday evening (July 1) as a pull request.  The pfSense developer that normally handles merging Snort and other binary packages is on vacation.  @cmb merged the update into the DEVEL tree of pfSense, but it did not get into the current RELEASE tree.  Because of the July 4 holiday weekend here in the United States, things are slowed down a bit with folks out enjoying holiday activities.  Should get things squared away with the new 2.9.8.3 package appearing maybe on Tuesday of this week.

Blame this one on me as I was very late in getting the update pull request submitted.  I do this in volunteer mode and some other comittments had priority last week.  I did not get the update submitted for review until very late in the evening on Friday, July 1.

Bill

AR15USR

@bmeeks:

The updated 2.9.8.3 package was submitted late Friday evening (July 1) as a pull request.  The pfSense developer that normally handles merging Snort and other binary packages is on vacation.  @cmb merged the update into the DEVEL tree of pfSense, but it did not get into the current RELEASE tree.  Because of the July 4 holiday weekend here in the United Stated, things are slowed down a bit with folks out enjoying holiday activities.  Should get things squared away with the new 2.9.8.3 package appearing maybe on Tuesday of this week.

Blame this one on me as I was very late in getting the update pull request submitted.  I do this in volunteer mode and some other comittments had priority last week.  I did not get the update submitted for review until very late in the evening on Friday, July 1.

Bill

Bill,

No worries, and thanks for everything you do. We all appreciate it! Happy 4th!!!

joelesler

@cciechad:

Those aren't rules. That appears to be some alpha fork of the snort 2.9 code base.

Snort 3.0 is a rewrite of Snort from the ground up, not a fork.  Just FYI.

joelesler

@battles:

@cciechad:

I pay for the Snort VRT rules. Unfortunately that doesn't matter as PFSense's version is currently unsupported(not sure why we're on such an old non supported version) so even with a paid Oink code your updates will fail as the VRT team is no longer compiling rules for this version.

That is what I was suspicious of.  As popular as pfSense is, it doesn't make sense that there are no longer any VTR rules produced for it.  Is there anything else I can use to get important needed VTR like rules for pfSense?  I have heard about PulledPork, but I can't figure out what it is about.  Possibly another good snort like system?

Hi.  Joel Esler here, I work for Talos (was VRT) and and the Program Manager for the ruleset.  (Note: I don't hang out in these forums all the time, so if I miss your reply, I'm sorry.

That being said.  It's impossible for us to track the 1,000s of platforms that Snort is built into.  We tried, and we just couldn't keep it up.  We established the EOL policy, probably close to 13 years ago now…  and we've stuck by it.

cciechad

Joel,

Just curious but why is Suricata not as picky about the VRT rules? Even old versions seem to be able to load current VRT rules.

Thanks,

Chad

joelesler

@cciechad:

Joel,

Just curious but why is Suricata not as picky about the VRT rules? Even old versions seem to be able to load current VRT rules.

Thanks,

Chad

Snort can load lots of older versions of rules too.  The issue is, we stop making older versions.  We've found that if we keep older versions around, people will become complacent and never upgrade.

You would upgrade other security devices, why not your IDS?

bmeeks

The updated Snort package for pfSense will get posted soon.  It was merged into DEVEL but not into RELEASE.  A pfSense developer will be taking care of merging into RELEASE.  He and I have exchanged e-mails.

As I mentioned either here or in some of the other related threads, the fault of this late update is on me.  I failed to update the package in a timely manner.  When I realized the old rules were EOL, it was already late Friday afternoon on July 1 (the start of a long holiday weekend in the U.S.).  I will strive to better track the EOL dates for rules. I had been doing well until this one time, but I did drop the ball this time.

Bill

BBcan177

@joelesler:

Hi.  Joel Esler here, I work for Talos (was VRT) and and the Program Manager for the ruleset.  (Note: I don't hang out in these forums all the time, so if I miss your reply, I'm sorry.

That being said.  It's impossible for us to track the 1,000s of platforms that Snort is built into.  We tried, and we just couldn't keep it up.  We established the EOL policy, probably close to 13 years ago now…  and we've stuck by it.

Its great to have your support in this forum. Bill Meeks the Dev/Maintainer of the Snort package has been doing a phenomenal job on what little free time he has available :)

We're all just thrilled that out of the 1000's of platforms that use Snort, that you registed for an account here…

It is this ( 1 of a 1000 ), that we here; really care about hehe….

Keep of the great work, and we're looking forward to 3.0 ...