Registered Snort VRT user - Suricata doesn't automatically get scheduled updates
-
Hello,
I am a registered (paying) Snort VRT user - I have Suricata configured with my oinkcode to retrieve my rules, once per day, but it never does. Emerging Threats rules download daily per the schedule.
I should add that I have followed all instructions per https://forum.pfsense.org/index.php?topic=124054.0
What else might I be missing?
-
Hello,
I am a registered (paying) Snort VRT user - I have Suricata configured with my oinkcode to retrieve my rules, once per day, but it never does. Emerging Threats rules download daily per the schedule.
I should add that I have followed all instructions per https://forum.pfsense.org/index.php?topic=124054.0
What else might I be missing?
You have to do two things:
(1) – make sure only your Oinkcode is entered into the provided box. Do not enter the entire URL you get from the Snort VRT site. Just enter the Oinkcode random number value (it's that mix of letters and numbers).
(2) – tell Suricata which current rules package to download. Suricata is not Snort, so it has no internal way of knowing which rules package to grab. Snort is hard-coded to a specific rules package version that matches the binary version. Not so for Suricata. Have you read this sticky post in this forum? https://forum.pfsense.org/index.php?topic=124054.0
The current filename is snortrules-snapshot-2990.tar.gz
Bill
-
Yes, as I indicated in my post, I followed those instructions per the sticky post.
Thank you for whatever additional information you may be able to provide, and I am using that precise filename as well.
-
Yes, as I indicated in my post, I followed those instructions per the sticky post.
Thank you for whatever additional information you may be able to provide, and I am using that precise filename as well.
What does the Rules Update Log say on the UPDATES tab? Open it up and paste the contents here (or the last update session which will be at the bottom of the log). It will print an error if there is failure, and that error can help locate your issue.
Also realize the Snort VRT rules generally only update twice a week on Tuesdays and Thursdays. They do not get daily updates like the ET rules.
Bill
-
The typical update looks like this…the Snort MD5 checksum never seems to update, and I have let it go for about a week at a time with no updates whatsoever...
Starting rules update... Time: 2017-11-20 04:30:00
Downloading Emerging Threats Open rules md5 file emerging.rules.tar.gz.md5...
Checking Emerging Threats Open rules md5 file...
Emerging Threats Open rules are up to date.
Downloading Snort VRT rules md5 file snortrules-snapshot-2990.tar.gz.md5...
Checking Snort VRT rules md5 file...
Snort VRT rules are up to date.
The Rules update has finished. Time: 2017-11-20 04:30:03Starting rules update... Time: 2017-11-21 04:30:00
Downloading Emerging Threats Open rules md5 file emerging.rules.tar.gz.md5...
Checking Emerging Threats Open rules md5 file...
There is a new set of Emerging Threats Open rules posted.
Downloading file 'emerging.rules.tar.gz'...
Done downloading rules file.
Downloading Snort VRT rules md5 file snortrules-snapshot-2990.tar.gz.md5...
Checking Snort VRT rules md5 file...
Snort VRT rules are up to date.
Extracting and installing Emerging Threats Open rules...
Installation of Emerging Threats Open rules completed.
Copying new config and map files...
Updating rules configuration for: WAN ...
Updating rules configuration for: LAN ...
Restarting Suricata to activate the new set of rules...
Suricata has restarted with your new set of rules.
The Rules update has finished. Time: 2017-11-21 04:32:22Thank you for the tip about Tuesdays and Thursdays. I will look closely at what happens this coming week on those days and I will report back here.
-
My own Snort VRT rules last updated on November 21. So probably nothing to worry about. Either nothing has been needed on the rule creation front for a while, or the Snort VRT folks took a long holiday for Thanksgiving in the U.S. … :)
You can follow the Snort VRT rules releases here: https://www.snort.org/downloads/#rule-downloads
Bill
-
My own Snort VRT rules last updated on November 21. So probably nothing to worry about. Either nothing has been needed on the rule creation front for a while, or the Snort VRT folks took a long holiday for Thanksgiving in the U.S. … :)
You can follow the Snort VRT rules releases here: https://www.snort.org/downloads/#rule-downloads
Bill
Thank you. As it turns out, yes, I was simply being impatient:
Starting rules update… Time: 2017-11-29 04:30:00
Downloading Emerging Threats Open rules md5 file emerging.rules.tar.gz.md5...
Checking Emerging Threats Open rules md5 file...
There is a new set of Emerging Threats Open rules posted.
Downloading file 'emerging.rules.tar.gz'...
Done downloading rules file.
Downloading Snort VRT rules md5 file snortrules-snapshot-2990.tar.gz.md5...
Checking Snort VRT rules md5 file...
There is a new set of Snort VRT rules posted.
Downloading file 'snortrules-snapshot-2990.tar.gz'...
Done downloading rules file.
Extracting and installing Emerging Threats Open rules...
Installation of Emerging Threats Open rules completed.
Extracting and installing Snort VRT rules...
Installation of Snort VRT rules completed.
Copying new config and map files...
Updating rules configuration for: WAN ...
Updating rules configuration for: LAN ...
Restarting Suricata to activate the new set of rules...
Suricata has restarted with your new set of rules.
The Rules update has finished. Time: 2017-11-29 04:32:20Thank you again for all your very informative help.