Snort v3.2.9.12 Update for pfSense-2.4.5 -- Release Notes

Skozzy

This post is deleted!

Skozzy

@bmeeks
The Snort sub Rules and the ETOpen rules.
Ah, so thats why the reinstall didn't initially work. Gotcha. Should I only be using either one or the other? I very much appreciate the comprehensive response and breakdown of how it solves my problem, by the way. Right now the reinstall is hanging at the~

"There is a new set of Snort Subscriber rules posted.
Downloading snortrules-snapshot-29160.tar.gz..."

~step. I did delete the package before this reinstall though.

bmeeks

@Skozzy said in Snort v3.2.9.12 Update for pfSense-2.4.5 -- Release Notes:

@bmeeks
The Snort sub Rules and the ETOpen rules.
Ah, so thats why the reinstall didn't initially work. Gotcha. Should I only be using either one or the other? I very much appreciate the comprehensive response and breakdown of how it solves my problem, by the way. Right now the reinstall is hanging at the~

"There is a new set of Snort Subscriber rules posted.
Downloading snortrules-snapshot-29160.tar.gz..."

~step. I did delete the package before this reinstall though.

Those rules can take a while to download for some folks. As in several minutes in rare cases.

No, there is no necessary advantage of one set of rules over the other. I asked because I seem to recall that in the past one of those rules archives contained a copy of unicode.map that would get copied over during the rules update and thus masked the bug of the deleted file. My personal firewall, for instance, has never experienced that particular issue. I run the Snort Subscriber Rules and a handful of ET-Open rules.

Skozzy

@bmeeks That would just cause the issue to perpetuate then, no?
The reinstall has been hung up on that same step for around 45ish mins now. Would you reccomend that I keep waiting, or should I refresh the webGUI and try another reinstall?

bmeeks

@Skozzy, 45 minutes is way too long. Sounds like pfSense can't reach the web site. Do you have any other packages installed that might interfere? Also, do you have sufficient free disk space in the /tmp directory? You need at least 256 MB of free space there to download and unpack the rules archives safely.

Some users create RAM disks, but those are never a good idea with the IDS/IPS packages. If you have a RAM disk, be sure the /tmp directory has enough free space. Usually, though, when that is the problem users get an error message about a corrupt archive.

Skozzy

@bmeeks As far as packages go, I have dhcpd, dpinger, ntpd, pfb_dnsbl, pfb_filter, suricata, syslogd, and unbound running. arpwatch is disabled currently.

And my current resources are around:

CPU usage
58%

Memory usage
54% of 990 MiB

Disk usage:
/
34% of 7.0GiB - ufs

 /var/run 	

4% of 3.4MiB - ufs in RAM

Ramosel

@bmeeks
Hey Bill, when I posted my response earlier in this thread, I too had an update go an unusually long time. It’s fine now and updating daily. I’m also experiencing an issue on the pfBlockerNG beta. Is any part of the update code using Python?

bmeeks

@Ramosel said in Snort v3.2.9.12 Update for pfSense-2.4.5 -- Release Notes:

@bmeeks
Hey Bill, when I posted my response earlier in this thread, I too had an update go an unusually long time. It’s fine now and updating daily. I’m also experiencing an issue on the pfBlockerNG beta. Is any part of the update code using Python?

No, there is no Python anywhere in the IDS/IPS packages.

bmeeks

@Skozzy said in Snort v3.2.9.12 Update for pfSense-2.4.5 -- Release Notes:

@bmeeks As far as packages go, I have dhcpd, dpinger, ntpd, pfb_dnsbl, pfb_filter, suricata, syslogd, and unbound running. arpwatch is disabled currently.

And my current resources are around:

CPU usage
58%

Memory usage
54% of 990 MiB

Disk usage:
/
34% of 7.0GiB - ufs

 /var/run 	

4% of 3.4MiB - ufs in RAM

You never want Snort and Suricata installed on the same box! They will interfere with other, especially over the use of the snort2c table. Not to mention they will each absorb a large amount of the already slim RAM on the SG-1100 box.

Ramosel

@bmeeks
Thanks Bill. Just looking to confirm or exclude a commonality. It’s getting late East-coaster! Your bed is calling.

Rick

Skozzy

@bmeeks Oh man, I had no idea! Thank you for the advice, I really appreciate it.