Important Notice for Snort and Suricata Users on pfSense !!!
-
@bmeeks Just changed mine; however, I had it once per day.
-
@NollipfSense said in Important Notice for Snort and Suricata Users on pfSense !!!:
@bmeeks Just changed mine; however, I had it once per day.
Once per day is fine, and actually is sufficient. The screenshot I posted is from a virtual machine I use for testing so I just happened to have twice per day set for it. The rules actually only update twice a week for Snort Rules, usually on Tuesdays and Thursdays.
-
@bmeeks said in Important Notice for Snort and Suricata Users on pfSense !!!:
Once per day is fine, and actually is sufficient.
That's what I thought for a home/office/lab environment.
-
Maybe you could add this notice in future releases of Snort and Suricata.
-
@RonpfS said in Important Notice for Snort and Suricata Users on pfSense !!!:
Maybe you could add this notice in future releases of Snort and Suricata.
I am modifying the package code so that on future updates it will randomize the minutes value of the start time if it detects the user still has the setting at the old default of "00:05". And for green-field installs it will choose a random value for the minutes portion automatically. Hopefully that will take care of the issue going forward.
-
@bmeeks said in Important Notice for Snort and Suricata Users on pfSense !!!:
@RonpfS said in Important Notice for Snort and Suricata Users on pfSense !!!:
Maybe you could add this notice in future releases of Snort and Suricata.
I am modifying the package code so that on future updates it will randomize the minutes value of the start time if it detects the user still has the setting at the old default of "00:05". And for green-field installs it will choose a random value for the minutes portion automatically. Hopefully that will take care of the issue going forward.
Even better
-
@bmeeks said in Important Notice for Snort and Suricata Users on pfSense !!!:
I am modifying the package code so that on future updates it will randomize the minutes value of the start time if it detects the user still has the setting at the old default of "00:05". And for green-field installs it will choose a random value for the minutes portion automatically. Hopefully that will take care of the issue going forward.
Another approach may be to add a random time period (say up to 60 seconds) to whatever is configured in the interface. With just about all pfsense instances being sync'd with NTP, you may still have a cluster of machines hitting the servers at a specific minute. Kicking off the update at random seconds past the minute may also assist in minimizing the impact.
-
@JohnKap said in Important Notice for Snort and Suricata Users on pfSense !!!:
@bmeeks said in Important Notice for Snort and Suricata Users on pfSense !!!:
I am modifying the package code so that on future updates it will randomize the minutes value of the start time if it detects the user still has the setting at the old default of "00:05". And for green-field installs it will choose a random value for the minutes portion automatically. Hopefully that will take care of the issue going forward.
Another approach may be to add a random time period (say up to 60 seconds) to whatever is configured in the interface. With just about all pfsense instances being sync'd with NTP, you may still have a cluster of machines hitting the servers at a specific minute. Kicking off the update at random seconds past the minute may also assist in minimizing the impact.
Thank you for the suggestion. I will keep it in mind.
-
Add a Pick Ramdom Time button
-
@RonpfS said in Important Notice for Snort and Suricata Users on pfSense !!!:
Add a Pick Ramdom Time button
Yeah, that's another option. I'm going to see how the two edits I've made work out. An update for Snort and Suricata should appear in a day or two with the changes. One randomizes the minutes portion of the update time if the user has the old default of "00:05". For brand new installs with no previously saved values, the system will choose a random minute to populate the field with and leave the default hour at 00.
And as final bit of salt (to use a crypto term), I took @JohnKap's suggestion and the actual PHP module that performs the rules update will randomly sleep between 0 and 35 seconds when it is launched (whether by the cron task or by the user clicking Update on the UPDATES tab).
-
@bmeeks Bill, you're AWESOME!