Snort Package Updates Available
-
The "Not Downloaded" text is a cosmetic error. The upstream Snort team changed the way the rules archive file is named with this latest version, and that change throws off some of the automatic stuff in the GUI package. I fixed two issues, but apparently missed this one. You can be confident the new file versions are downloaded and in use by looking at the Update Log file (you posted its contents). See how it says in there the 29120 file was downloaded and installed?
-
@bmeeks said in Snort Package Updates Available:
The "Not Downloaded" text is a cosmetic error. The upstream Snort team changed the way the rules archive file is named with this latest version, and that change throws off some of the automatic stuff in the GUI package. I fixed two issues, but apparently missed this one. You can be confident the new file versions are downloaded and in use by looking at the Update Log file (you posted its contents). See how it says in there the 29120 file was downloaded and installed?
And what about the RAM eating of snort any experience?
-
@nagel
I have no idea about the RAM usage increase. I've noticed no change on my own firewall running Snort. -
I don't see any block from Snort rules, only from ET.
-
@simbad said in Snort Package Updates Available:
I don't see any block from Snort rules, only from ET.
Depending on which rules you have enabled, that can be perfectly normal. I'm a safe browser, so I see pretty much no alerts from anything except the handful of known malicious IP lists I run from the ET feed. I run those on my WAN just to generate some alerts to look at. The traffic from those IP addresses is blocked by my default WAN rules anyway. With a properly tuned rule set, you should expect to see very few alerts unless you have an actual security problem inside your perimeter.
-
For those of you seeing the "Not Downloaded" message on the UPDATES tab for the Snort Subscriber Rules, that is only a cosmetic problem. I will submit a fix for it, but in the meantime if you want to correct the issue yourself you can make the following edit to the listed file.
File: /usr/local/www/snort/snort_download_updates.php
Open that file in an editor (you can use the DIAGNOSTICS -> EDIT function of pfSense).
Locate this area of code near the top of the file:/* Define some locally required variables from Snort constants */ $snortdir = SNORTDIR; $snortbinver = SNORT_BIN_VERSION; $snortbinver = str_replace(".", "", $snortbinver);
Paste the following code immediately underneath it.
// Make sure the rules version is at least 5 characters in length // by adding trailing zeros if required. if (strlen($snortbinver) < 5) { $snortbinver = str_pad($snortbinver, 5, '0', STR_PAD_RIGHT); }
Save the change and that's it. Here is how the fixed code should look after you finish:
/* Define some locally required variables from Snort constants */ $snortdir = SNORTDIR; $snortbinver = SNORT_BIN_VERSION; $snortbinver = str_replace(".", "", $snortbinver); // Make sure the rules version is at least 5 characters in length // by adding trailing zeros if required. if (strlen($snortbinver) < 5) { $snortbinver = str_pad($snortbinver, 5, '0', STR_PAD_RIGHT); }
Update: a pull request containing this fix has been posted for the pfSense team to review and merge. The request can be viewed here.
-
Fixed with update. Thanks
-
@bmeeks said in Snort Package Updates Available:
@nagel
I have no idea about the RAM usage increase. I've noticed no change on my own firewall running Snort.Back to normal. Changed the version and the matching to "AC" without -"BNFA"
-
@nagel said in Snort Package Updates Available:
@bmeeks said in Snort Package Updates Available:
@nagel
I have no idea about the RAM usage increase. I've noticed no change on my own firewall running Snort.Back to normal. Changed the version and the matching to "AC" without -"BNFA"
So do you mean that after the version change you altered the Fast Pattern Matching algorithm to "AC"? If so, that would definitely have been the problem. I really should take out all of the other options as nothing works better than "AC-BNFA" for the Pattern Matcher. All of the other settings just eat up RAM like crazy for essentially zero performance benefit.
-
Working nice here, the alerts i see is from wan side as i use SCAN and DROP rules from ET.
I did a week or 2 get from LAN side though but i am not sure if it was because of microsoft store or it was malware on that computer.
I did run antispyware and it found trackers not actually malware.
Anyway i hope snort will soon or in 2019/20 support/run on all cores.
This alpha stage has been going on for ages.