Snort VRT Rules not updating



  • I just installed snort from the package window, entered my Oinkmaster code and tried updating the rules.  The Snort GPLv2 Community Rules and Snort OpenAppID Detectors rules came in, but after several tries, the Snort VRT Rules will not.  The FAIL warning comes on.  Is snort overloaded or is there probably a problem?



  • Had the same issue…I couldn't figure it out either. Hoping someone weighs in on this.



  • Also having the problem here. I think VRT dropped support for our version. I checked to see if there is an update but no luck.



  • That is definitely the problem.

    from https://www.snort.org/eol

    Snort Version Released EOL
    Snort 2.9.7.6 2015-09-30 TBD**
    Snort 2.9.8.0 2015-12-01 2016-06-28
    Snort 2.9.8.2 2015-12-01 2016-09-20
    Snort 2.9.8.3 2016-06-22 TBD**

    So support for the PFSense version ended on 6-28.



  • That brings up an interesting question.  I wouldn't mind paying for the rules.  It is a minimal cost per month/year.  However, are there available snort rules for pfSense?



  • I pay for the Snort VRT rules. Unfortunately that doesn't matter as PFSense's version is currently unsupported(not sure why we're on such an old non supported version) so even with a paid Oink code your updates will fail as the VRT team is no longer compiling rules for this version.



  • I found something else strange. If you go into the packages and click on the link for snort it takes you here

    https://github.com/pfsense/FreeBSD-ports/commits/devel/security/pfSense-pkg-snort

    According to that snort has been updated to 2.9.8.3 which is a supported version.

    Bump Snort GUI package to 3.2.9.1_14 for bug fixes and 2.9.8.3 binary…
    bmeeks8 committed 14 hours ago

    Unfortunately that GIT update appears to be invalid as I've tried to update a half a dozen times and it's not pulling down snort 2.9.8.3

    [2.3.1-RELEASE][admin@chadhome.cox.net]/root: pkg update
    Updating pfSense-core repository catalogue…
    pfSense-core repository is up-to-date.
    Updating pfSense repository catalogue...
    pfSense repository is up-to-date.
    All repositories are up-to-date.
    [2.3.1-RELEASE][admin@chadhome.cox.net]/root: pkg upgrade
    Updating pfSense-core repository catalogue…
    pfSense-core repository is up-to-date.
    Updating pfSense repository catalogue...
    pfSense repository is up-to-date.
    All repositories are up-to-date.
    Checking for upgrades (0 candidates): 100%
    Processing candidates (0 candidates): 100%
    Checking integrity... done (0 conflicting)
    Your packages are up to date.



  • @cciechad:

    I pay for the Snort VRT rules. Unfortunately that doesn't matter as PFSense's version is currently unsupported(not sure why we're on such an old non supported version) so even with a paid Oink code your updates will fail as the VRT team is no longer compiling rules for this version.

    That is what I was suspicious of.  As popular as pfSense is, it doesn't make sense that there are no longer any VTR rules produced for it.  Is there anything else I can use to get important needed VTR like rules for pfSense?  I have heard about PulledPork, but I can't figure out what it is about.  Possibly another good snort like system?



  • Pulled pork is just for automated rule management it doesn't provide any rules on its own. Possibly the ETOpen rules might still work(not sure). At this point it looks like there is an update to the supported version in GIT. Not sure when its going to hit wherever the package list the routers get but hopefully it will be pretty soon.

    Chad



  • Found this https://github.com/snortadmin/snort3/blob/master/README.md

    Not sure how to load these rules.



  • Those aren't rules. That appears to be some alpha fork of the snort 2.9 code base.



  • FYI This is a known issue over in the IPS/IDS subforum.

    https://forum.pfsense.org/index.php?topic=114449.msg636406#msg636406



  • The updated 2.9.8.3 package was submitted late Friday evening (July 1) as a pull request.  The pfSense developer that normally handles merging Snort and other binary packages is on vacation.  @cmb merged the update into the DEVEL tree of pfSense, but it did not get into the current RELEASE tree.  Because of the July 4 holiday weekend here in the United States, things are slowed down a bit with folks out enjoying holiday activities.  Should get things squared away with the new 2.9.8.3 package appearing maybe on Tuesday of this week.

    Blame this one on me as I was very late in getting the update pull request submitted.  I do this in volunteer mode and some other comittments had priority last week.  I did not get the update submitted for review until very late in the evening on Friday, July 1.

    Bill



  • @bmeeks:

    The updated 2.9.8.3 package was submitted late Friday evening (July 1) as a pull request.  The pfSense developer that normally handles merging Snort and other binary packages is on vacation.  @cmb merged the update into the DEVEL tree of pfSense, but it did not get into the current RELEASE tree.  Because of the July 4 holiday weekend here in the United Stated, things are slowed down a bit with folks out enjoying holiday activities.  Should get things squared away with the new 2.9.8.3 package appearing maybe on Tuesday of this week.

    Blame this one on me as I was very late in getting the update pull request submitted.  I do this in volunteer mode and some other comittments had priority last week.  I did not get the update submitted for review until very late in the evening on Friday, July 1.

    Bill

    Bill,

    No worries, and thanks for everything you do. We all appreciate it! Happy 4th!!!



  • @cciechad:

    Those aren't rules. That appears to be some alpha fork of the snort 2.9 code base.

    Snort 3.0 is a rewrite of Snort from the ground up, not a fork.  Just FYI.



  • @battles:

    @cciechad:

    I pay for the Snort VRT rules. Unfortunately that doesn't matter as PFSense's version is currently unsupported(not sure why we're on such an old non supported version) so even with a paid Oink code your updates will fail as the VRT team is no longer compiling rules for this version.

    That is what I was suspicious of.  As popular as pfSense is, it doesn't make sense that there are no longer any VTR rules produced for it.  Is there anything else I can use to get important needed VTR like rules for pfSense?  I have heard about PulledPork, but I can't figure out what it is about.  Possibly another good snort like system?

    Hi.  Joel Esler here, I work for Talos (was VRT) and and the Program Manager for the ruleset.  (Note: I don't hang out in these forums all the time, so if I miss your reply, I'm sorry.

    That being said.  It's impossible for us to track the 1,000s of platforms that Snort is built into.  We tried, and we just couldn't keep it up.  We established the EOL policy, probably close to 13 years ago now…  and we've stuck by it.



  • Joel,

    Just curious but why is Suricata not as picky about the VRT rules? Even old versions seem to be able to load current VRT rules.

    Thanks,

    Chad



  • @cciechad:

    Joel,

    Just curious but why is Suricata not as picky about the VRT rules? Even old versions seem to be able to load current VRT rules.

    Thanks,

    Chad

    Snort can load lots of older versions of rules too.  The issue is, we stop making older versions.  We've found that if we keep older versions around, people will become complacent and never upgrade.

    You would upgrade other security devices, why not your IDS?



  • The updated Snort package for pfSense will get posted soon.  It was merged into DEVEL but not into RELEASE.  A pfSense developer will be taking care of merging into RELEASE.  He and I have exchanged e-mails.

    As I mentioned either here or in some of the other related threads, the fault of this late update is on me.  I failed to update the package in a timely manner.  When I realized the old rules were EOL, it was already late Friday afternoon on July 1 (the start of a long holiday weekend in the U.S.).  I will strive to better track the EOL dates for rules. I had been doing well until this one time, but I did drop the ball this time.

    Bill


  • Moderator

    @joelesler:

    Hi.  Joel Esler here, I work for Talos (was VRT) and and the Program Manager for the ruleset.  (Note: I don't hang out in these forums all the time, so if I miss your reply, I'm sorry.

    That being said.  It's impossible for us to track the 1,000s of platforms that Snort is built into.  We tried, and we just couldn't keep it up.  We established the EOL policy, probably close to 13 years ago now…  and we've stuck by it.

    Its great to have your support in this forum. Bill Meeks the Dev/Maintainer of the Snort package has been doing a phenomenal job on what little free time he has available :)

    We're all just thrilled that out of the 1000's of platforms that use Snort, that you registed for an account here…

    It is this ( 1 of a 1000 ), that we here; really care about hehe….

    Keep of the great work, and we're looking forward to 3.0 ...


Log in to reply