Suricata Snort VRT Rules Problem/Missing Fixed!

Snowaks

So the basic problem I am haveing is the VRT rules do not show up in Wan$Lan Categories for Snort VRT rules it shows as Snort Rules have not been downloaded. In Global setting I did set up a url, Snort Rules Filename & Snort Oinkmaster Code are all right & set up. I can test this by going to Update and it will download the rules but when I go to Interface Settings For a Interface the VRT rules are not there. Now why this matter to me when I go to Set a IPS Policy to what ever I set it to say security, when you look at the rules it has noting defined its just blank. I am missing a point here or I am doing some thing wrong ? Or should I just go back to the Snort pkg ?

Snowaks

Just Droped Suricata. I will miss some of the stuff in suricata but I would much rather Have Security over Features any day. If some one can help then I may go back as all my Research did noting to fix the problem.

bmeeks

Have you followed all the instructions here?

You mentioned you input a URL. That is not correct. Read the hint printed underneath the text box. It specifically says "Do not input the URL". You should provide only the filename for the Snort Subscriber Rules. For the latest 2.9.x Snort release that filename is snortrules-snapshot-29120.tar.gz.

Edit: Just tested this on a virtual machine set up with pfSense and Suricata 4.0.13_11, and it worked perfectly. I used the IPS Connectivity policy on the WAN interface of the virtual machine.

Snowaks

I did try it with out a url just putting the name (snort-2.9.12.tar.gz) I get a 404 error in the update logs. I Looked for a fix or what name it should be named. All I could find was snort-2.9.12.tar.gz Will try this right now as I am having/Had memory problems with snort With my config. It cause a memory leak. So I switched to Suricata problem was solved. I have not used a guide to setup snort or suricata witch maybe part of my problem. Most of every thing was just like the snort pkg so I new how to set it up.

Snowaks

@bmeeks said in Suricata Snort VRT Rules Problem/Missing:

snortrules-snapshot-29120.tar.gz
Works 100% yes I seen/Read that post but did not see the above file name. Thanks By the way.

bmeeks

@snowaks said in Suricata Snort VRT Rules Problem/Missing Fixed!:

@bmeeks said in Suricata Snort VRT Rules Problem/Missing:

snortrules-snapshot-29120.tar.gz
Works 100% yes I seen/Read that post but did not see the above file name. Thanks By the way.

You need to go visit www.snort.org and learn how the rules files are named. You will need to sign in with your credentials at the Snort site. Did you try that?

Snowaks

I have been on the site be for that's how I got the name above. What do you mean in the forums or on the main page ?

bmeeks

@snowaks said in Suricata Snort VRT Rules Problem/Missing Fixed!:

I have been on the site be for that's how I got the name above. What do you mean in the forums or on the main page ?

The rules archive files are not named exactly the same as the binary. The numbers are the same, but the formatting is different. That's what I was talking about you noticing on the snort.org web site by visiting there. For example, the current binary version of Snort is 2.9.12, but that is not the name of the required rules file for Suricata. That filename is snortrules-snapshot-29120.tar.gz.

You stated in one of your posts that you were trying to use the filename snort-2.9.12.tar.gz. That is not the correct format for the rules archive name. So based on that, I assumed you had never visited the Snort web site to see how the actual rules archives are named. To see the actual rules filename you have to login to the Snort web site using your credentials there and click on the Downloads and then Rules links. On the page that opens you will see the actual filenames that you would need to put into the filename text box in Suricata. The sticky post on this forum I provided a link for talks about visiting Snort.org to get the correct filename and watching that site at least monthly to note when rule versions go EOL (end of life) and new versions are released.

Note that Suricata will not work properly with any Snort3 rules, so only use rules files designed for Snort 2.9.x versions with Suricata.

Snowaks

Hey thanks for all the info Been a great Help and I hope this helps others! :)

Snowaks

So one question I had now that 3.0 is out for snort will the 2.9 train no longer get updated ??
at least I've seen was snortrules-snapshot-29140.tar.gz and was almost a year old.

bmeeks

@Snowaks said in Suricata Snort VRT Rules Problem/Missing Fixed!:

So one question I had now that 3.0 is out for snort will the 2.9 train no longer get updated ??
at least I've seen was snortrules-snapshot-29140.tar.gz and was almost a year old.

Snort3 is not actually "out" yet. It is still in Beta and has been in a Beta for about a year. The Snort 2.9.x rule sets and source will continue to be updated for a while.

And DO NOT attempt to use the Snort3 rules with Suricata. You will break it badly if you try that. Suricata cannot work properly with Snort3 rules.

The snortrules-snapshot-29140.tar.gz file is not a year old. Not sure where you think you are seeing that. The file is updated approximately twice per week. Snort 2.9.13 is the current binary version, and those rules are also updated about twice a week. Since there is a 2.9.14 rule set posted on the Snort site, I suspect a release update for the binary is about to drop (that would be Snort 2.9.14).