Snort rules being updated but not being loaded.



  • Hello Dear Ones.

    After the last update of snort package to 3.2.9.9 on my PfSense box 3.4.4 release p3 on snort update page the rules appear to be being updated since the dates and times are changing but on last update it shows the date and time that the package was updated and never changes. On the Main Pfsense page the last config change date and time are the same one that the package snort was updated. In the update page the last update date and time is the same as the last config change date and time presented on the main page.

    I am not sure if snort is loading the new rules but by the information presented to me apparently it is not. It is just updating the rules but not loading them.

    Any clues?

    Thank you all in advance.



  • Did you enabled the rules? Show us screen shots!



  • I had checked before and already did it again just now and in fact reinstalled the package from scratch again 2 hours ago.

    Now just observing. I am having a different but similar discussion in another topic. Just to amuse me I am keeping a close watch.

    I recommend this cr.... to clients.

    I am not going to do it anymore since I am seeing this odd behaviour.

    In fact see the topic and investigate. I install this cr.. for around 6 years I know what I am doing and the first and obvious thing to do when someone sees this kind of behaviour is discredit. Like let's see you misconfigure again.



  • This is a cosmetic issue only caused by a change I made to prevent routine rule updates from spamming the ACB (auto-config backup) servers used by Netgate. The rules are being updated. You can double-check and prove that to yourself if you look at the rules update log available on the UPDATES tab.

    I need to come up with a different method of saving the "update time". The old method wrote to the config.xml file of the firewall, but each write now triggers an auto-backup, and that both creates a ton of extra config.xml file versions on a users machine as well as hits the Netgate ACB servers pretty hard when users around the world are doing this on a regular basis.



  • @phantonuser said in Snort rules being updated but not being loaded.:

    In fact see the topic and investigate. I install this cr.. for around 6 years I know what I am doing and the first and obvious thing to do when someone sees this kind of behaviour is discredit. Like let's see you misconfigure again.

    You do realize, I hope, that pfSense and all of its packages are open-source software and welcome user code contributions. If you see behavior you do not like or that you want changed, then simply submit a Pull Request to Github here for pfSense and here for Snort. That's what I did when I wanted some additional features added to the Snort package many years ago. Modify the code and then submit it to the core maintainers for consideration. I assure you it will be considered.


Log in to reply