Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Important Notice for Snort and Suricata Users on pfSense !!!

    Scheduled Pinned Locked Moved IDS/IPS
    12 Posts 4 Posters 941 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • bmeeksB
      bmeeks
      last edited by bmeeks

      Snort and Suricata users on pfSense -- I need your cooperation to mitigate a problem we all have inadvertently caused the fine folks over at Snort.org. So many pfSense users have installed either Snort or Suricata, and are using the Snort Subscriber Rules, that we are overloading their rules download site at 5 minutes past the hour almost every hour.

      Edit: the Snort team tells me they are seeing 24,000 unique pfSense users per day hitting their servers!

      We all need to stagger our rules update times a little to minimize that impact. Here are the details.

      The default Rules Update Start Time in both Snort and Suricata is 5 minutes past midnight local time. We have so many users now around the world that a significant number are hitting the Snort.org site at precisely 5 minutes past the hour every hour due to the different time zones. So please go to the GLOBAL SETTINGS tab in Snort or Suricata and change your Rules Update Start Time to something other than 5 minutes past the hour. Try to be a bit random with the value you choose, especially the minutes value.

      Here is where to find the setting once on the GLOBAL SETTINGS tab:

      GLOBAL_SETTINGS_Rules_Update_Settings_Start_Time.png

      Change the time in the highlighted textbox and save the change. That's it!

      So you see in my example I have set the update time to be at 01:30 local time. Because I have the Update Interval drop-down directly above set to 12 HOURS, my rules update check will run at 1:30 AM and 1:30 PM each day. Please don't everyone copy the settings above! That will just move the problem to another time. Instead, choose a value that will work for you. Maybe choose odd minutes or whatever.

      The next update for both Snort and Suricata will begin randomizing the rules update check a little by shuffling the minutes value.

      Thanks!
      Bill

      NollipfSenseN 1 Reply Last reply Reply Quote 2
      • NollipfSenseN
        NollipfSense @bmeeks
        last edited by

        @bmeeks Just changed mine; however, I had it once per day.

        pfSense+ 23.09 Lenovo Thinkcentre M93P SFF Quadcore i7 dual Raid-ZFS 128GB-SSD 32GB-RAM PCI-Intel i350-t4 NIC, -Intel QAT 8950.
        pfSense+ 23.09 VM-Proxmox, Dell Precision Xeon-W2155 Nvme 500GB-ZFS 128GB-RAM PCIe-Intel i350-t4, Intel QAT-8950, P-cloud.

        bmeeksB 1 Reply Last reply Reply Quote 0
        • bmeeksB
          bmeeks @NollipfSense
          last edited by

          @NollipfSense said in Important Notice for Snort and Suricata Users on pfSense !!!:

          @bmeeks Just changed mine; however, I had it once per day.

          Once per day is fine, and actually is sufficient. The screenshot I posted is from a virtual machine I use for testing so I just happened to have twice per day set for it. The rules actually only update twice a week for Snort Rules, usually on Tuesdays and Thursdays.

          NollipfSenseN 1 Reply Last reply Reply Quote 0
          • NollipfSenseN
            NollipfSense @bmeeks
            last edited by

            @bmeeks said in Important Notice for Snort and Suricata Users on pfSense !!!:

            Once per day is fine, and actually is sufficient.

            That's what I thought for a home/office/lab environment.

            pfSense+ 23.09 Lenovo Thinkcentre M93P SFF Quadcore i7 dual Raid-ZFS 128GB-SSD 32GB-RAM PCI-Intel i350-t4 NIC, -Intel QAT 8950.
            pfSense+ 23.09 VM-Proxmox, Dell Precision Xeon-W2155 Nvme 500GB-ZFS 128GB-RAM PCIe-Intel i350-t4, Intel QAT-8950, P-cloud.

            1 Reply Last reply Reply Quote 0
            • RonpfSR
              RonpfS
              last edited by

              Maybe you could add this notice in future releases of Snort and Suricata.

              2.4.5-RELEASE-p1 (amd64)
              Intel Core2 Quad CPU Q8400 @ 2.66GHz 8GB
              Backup 0.5_5, Bandwidthd 0.7.4_4, Cron 0.3.7_5, pfBlockerNG-devel 3.0.0_16, Status_Traffic_Totals 2.3.1_1, System_Patches 1.2_5

              bmeeksB 1 Reply Last reply Reply Quote 1
              • bmeeksB
                bmeeks @RonpfS
                last edited by bmeeks

                @RonpfS said in Important Notice for Snort and Suricata Users on pfSense !!!:

                Maybe you could add this notice in future releases of Snort and Suricata.

                I am modifying the package code so that on future updates it will randomize the minutes value of the start time if it detects the user still has the setting at the old default of "00:05". And for green-field installs it will choose a random value for the minutes portion automatically. Hopefully that will take care of the issue going forward.

                RonpfSR J NollipfSenseN 3 Replies Last reply Reply Quote 2
                • RonpfSR
                  RonpfS @bmeeks
                  last edited by

                  @bmeeks said in Important Notice for Snort and Suricata Users on pfSense !!!:

                  @RonpfS said in Important Notice for Snort and Suricata Users on pfSense !!!:

                  Maybe you could add this notice in future releases of Snort and Suricata.

                  I am modifying the package code so that on future updates it will randomize the minutes value of the start time if it detects the user still has the setting at the old default of "00:05". And for green-field installs it will choose a random value for the minutes portion automatically. Hopefully that will take care of the issue going forward.

                  Even better 👍

                  2.4.5-RELEASE-p1 (amd64)
                  Intel Core2 Quad CPU Q8400 @ 2.66GHz 8GB
                  Backup 0.5_5, Bandwidthd 0.7.4_4, Cron 0.3.7_5, pfBlockerNG-devel 3.0.0_16, Status_Traffic_Totals 2.3.1_1, System_Patches 1.2_5

                  1 Reply Last reply Reply Quote 0
                  • J
                    JohnKap @bmeeks
                    last edited by

                    @bmeeks said in Important Notice for Snort and Suricata Users on pfSense !!!:

                    I am modifying the package code so that on future updates it will randomize the minutes value of the start time if it detects the user still has the setting at the old default of "00:05". And for green-field installs it will choose a random value for the minutes portion automatically. Hopefully that will take care of the issue going forward.

                    Another approach may be to add a random time period (say up to 60 seconds) to whatever is configured in the interface. With just about all pfsense instances being sync'd with NTP, you may still have a cluster of machines hitting the servers at a specific minute. Kicking off the update at random seconds past the minute may also assist in minimizing the impact.

                    bmeeksB 1 Reply Last reply Reply Quote 0
                    • bmeeksB
                      bmeeks @JohnKap
                      last edited by

                      @JohnKap said in Important Notice for Snort and Suricata Users on pfSense !!!:

                      @bmeeks said in Important Notice for Snort and Suricata Users on pfSense !!!:

                      I am modifying the package code so that on future updates it will randomize the minutes value of the start time if it detects the user still has the setting at the old default of "00:05". And for green-field installs it will choose a random value for the minutes portion automatically. Hopefully that will take care of the issue going forward.

                      Another approach may be to add a random time period (say up to 60 seconds) to whatever is configured in the interface. With just about all pfsense instances being sync'd with NTP, you may still have a cluster of machines hitting the servers at a specific minute. Kicking off the update at random seconds past the minute may also assist in minimizing the impact.

                      Thank you for the suggestion. I will keep it in mind.

                      1 Reply Last reply Reply Quote 0
                      • RonpfSR
                        RonpfS
                        last edited by RonpfS

                        Add a Pick Ramdom Time button 😜

                        2.4.5-RELEASE-p1 (amd64)
                        Intel Core2 Quad CPU Q8400 @ 2.66GHz 8GB
                        Backup 0.5_5, Bandwidthd 0.7.4_4, Cron 0.3.7_5, pfBlockerNG-devel 3.0.0_16, Status_Traffic_Totals 2.3.1_1, System_Patches 1.2_5

                        bmeeksB 1 Reply Last reply Reply Quote 0
                        • bmeeksB
                          bmeeks @RonpfS
                          last edited by

                          @RonpfS said in Important Notice for Snort and Suricata Users on pfSense !!!:

                          Add a Pick Ramdom Time button 😜

                          Yeah, that's another option. I'm going to see how the two edits I've made work out. An update for Snort and Suricata should appear in a day or two with the changes. One randomizes the minutes portion of the update time if the user has the old default of "00:05". For brand new installs with no previously saved values, the system will choose a random minute to populate the field with and leave the default hour at 00.

                          And as final bit of salt (to use a crypto term), I took @JohnKap's suggestion and the actual PHP module that performs the rules update will randomly sleep between 0 and 35 seconds when it is launched (whether by the cron task or by the user clicking Update on the UPDATES tab).

                          1 Reply Last reply Reply Quote 1
                          • NollipfSenseN
                            NollipfSense @bmeeks
                            last edited by

                            @bmeeks Bill, you're AWESOME!

                            pfSense+ 23.09 Lenovo Thinkcentre M93P SFF Quadcore i7 dual Raid-ZFS 128GB-SSD 32GB-RAM PCI-Intel i350-t4 NIC, -Intel QAT 8950.
                            pfSense+ 23.09 VM-Proxmox, Dell Precision Xeon-W2155 Nvme 500GB-ZFS 128GB-RAM PCIe-Intel i350-t4, Intel QAT-8950, P-cloud.

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.