Snort VRT Rules not updating
-
I pay for the Snort VRT rules. Unfortunately that doesn't matter as PFSense's version is currently unsupported(not sure why we're on such an old non supported version) so even with a paid Oink code your updates will fail as the VRT team is no longer compiling rules for this version.
That is what I was suspicious of. As popular as pfSense is, it doesn't make sense that there are no longer any VTR rules produced for it. Is there anything else I can use to get important needed VTR like rules for pfSense? I have heard about PulledPork, but I can't figure out what it is about. Possibly another good snort like system?
-
Pulled pork is just for automated rule management it doesn't provide any rules on its own. Possibly the ETOpen rules might still work(not sure). At this point it looks like there is an update to the supported version in GIT. Not sure when its going to hit wherever the package list the routers get but hopefully it will be pretty soon.
Chad
-
Found this https://github.com/snortadmin/snort3/blob/master/README.md
Not sure how to load these rules.
-
Those aren't rules. That appears to be some alpha fork of the snort 2.9 code base.
-
FYI This is a known issue over in the IPS/IDS subforum.
https://forum.pfsense.org/index.php?topic=114449.msg636406#msg636406
-
The updated 2.9.8.3 package was submitted late Friday evening (July 1) as a pull request. The pfSense developer that normally handles merging Snort and other binary packages is on vacation. @cmb merged the update into the DEVEL tree of pfSense, but it did not get into the current RELEASE tree. Because of the July 4 holiday weekend here in the United States, things are slowed down a bit with folks out enjoying holiday activities. Should get things squared away with the new 2.9.8.3 package appearing maybe on Tuesday of this week.
Blame this one on me as I was very late in getting the update pull request submitted. I do this in volunteer mode and some other comittments had priority last week. I did not get the update submitted for review until very late in the evening on Friday, July 1.
Bill
-
The updated 2.9.8.3 package was submitted late Friday evening (July 1) as a pull request. The pfSense developer that normally handles merging Snort and other binary packages is on vacation. @cmb merged the update into the DEVEL tree of pfSense, but it did not get into the current RELEASE tree. Because of the July 4 holiday weekend here in the United Stated, things are slowed down a bit with folks out enjoying holiday activities. Should get things squared away with the new 2.9.8.3 package appearing maybe on Tuesday of this week.
Blame this one on me as I was very late in getting the update pull request submitted. I do this in volunteer mode and some other comittments had priority last week. I did not get the update submitted for review until very late in the evening on Friday, July 1.
Bill
Bill,
No worries, and thanks for everything you do. We all appreciate it! Happy 4th!!!
-
Those aren't rules. That appears to be some alpha fork of the snort 2.9 code base.
Snort 3.0 is a rewrite of Snort from the ground up, not a fork. Just FYI.
-
I pay for the Snort VRT rules. Unfortunately that doesn't matter as PFSense's version is currently unsupported(not sure why we're on such an old non supported version) so even with a paid Oink code your updates will fail as the VRT team is no longer compiling rules for this version.
That is what I was suspicious of. As popular as pfSense is, it doesn't make sense that there are no longer any VTR rules produced for it. Is there anything else I can use to get important needed VTR like rules for pfSense? I have heard about PulledPork, but I can't figure out what it is about. Possibly another good snort like system?
Hi. Joel Esler here, I work for Talos (was VRT) and and the Program Manager for the ruleset. (Note: I don't hang out in these forums all the time, so if I miss your reply, I'm sorry.
That being said. It's impossible for us to track the 1,000s of platforms that Snort is built into. We tried, and we just couldn't keep it up. We established the EOL policy, probably close to 13 years ago now… and we've stuck by it.
-
Joel,
Just curious but why is Suricata not as picky about the VRT rules? Even old versions seem to be able to load current VRT rules.
Thanks,
Chad
-
Joel,
Just curious but why is Suricata not as picky about the VRT rules? Even old versions seem to be able to load current VRT rules.
Thanks,
Chad
Snort can load lots of older versions of rules too. The issue is, we stop making older versions. We've found that if we keep older versions around, people will become complacent and never upgrade.
You would upgrade other security devices, why not your IDS?
-
The updated Snort package for pfSense will get posted soon. It was merged into DEVEL but not into RELEASE. A pfSense developer will be taking care of merging into RELEASE. He and I have exchanged e-mails.
As I mentioned either here or in some of the other related threads, the fault of this late update is on me. I failed to update the package in a timely manner. When I realized the old rules were EOL, it was already late Friday afternoon on July 1 (the start of a long holiday weekend in the U.S.). I will strive to better track the EOL dates for rules. I had been doing well until this one time, but I did drop the ball this time.
Bill
-
Hi. Joel Esler here, I work for Talos (was VRT) and and the Program Manager for the ruleset. (Note: I don't hang out in these forums all the time, so if I miss your reply, I'm sorry.
That being said. It's impossible for us to track the 1,000s of platforms that Snort is built into. We tried, and we just couldn't keep it up. We established the EOL policy, probably close to 13 years ago now… and we've stuck by it.
Its great to have your support in this forum. Bill Meeks the Dev/Maintainer of the Snort package has been doing a phenomenal job on what little free time he has available :)
We're all just thrilled that out of the 1000's of platforms that use Snort, that you registed for an account here…
It is this ( 1 of a 1000 ), that we here; really care about hehe….
Keep of the great work, and we're looking forward to 3.0 ...
