Important Notice for Snort and Suricata Users on pfSense !!!


  • Snort and Suricata users on pfSense -- I need your cooperation to mitigate a problem we all have inadvertently caused the fine folks over at Snort.org. So many pfSense users have installed either Snort or Suricata, and are using the Snort Subscriber Rules, that we are overloading their rules download site at 5 minutes past the hour almost every hour.

    Edit: the Snort team tells me they are seeing 24,000 unique pfSense users per day hitting their servers!

    We all need to stagger our rules update times a little to minimize that impact. Here are the details.

    The default Rules Update Start Time in both Snort and Suricata is 5 minutes past midnight local time. We have so many users now around the world that a significant number are hitting the Snort.org site at precisely 5 minutes past the hour every hour due to the different time zones. So please go to the GLOBAL SETTINGS tab in Snort or Suricata and change your Rules Update Start Time to something other than 5 minutes past the hour. Try to be a bit random with the value you choose, especially the minutes value.

    Here is where to find the setting once on the GLOBAL SETTINGS tab:

    GLOBAL_SETTINGS_Rules_Update_Settings_Start_Time.png

    Change the time in the highlighted textbox and save the change. That's it!

    So you see in my example I have set the update time to be at 01:30 local time. Because I have the Update Interval drop-down directly above set to 12 HOURS, my rules update check will run at 1:30 AM and 1:30 PM each day. Please don't everyone copy the settings above! That will just move the problem to another time. Instead, choose a value that will work for you. Maybe choose odd minutes or whatever.

    The next update for both Snort and Suricata will begin randomizing the rules update check a little by shuffling the minutes value.

    Thanks!
    Bill


  • @bmeeks Just changed mine; however, I had it once per day.


  • @NollipfSense said in Important Notice for Snort and Suricata Users on pfSense !!!:

    @bmeeks Just changed mine; however, I had it once per day.

    Once per day is fine, and actually is sufficient. The screenshot I posted is from a virtual machine I use for testing so I just happened to have twice per day set for it. The rules actually only update twice a week for Snort Rules, usually on Tuesdays and Thursdays.


  • @bmeeks said in Important Notice for Snort and Suricata Users on pfSense !!!:

    Once per day is fine, and actually is sufficient.

    That's what I thought for a home/office/lab environment.


  • Maybe you could add this notice in future releases of Snort and Suricata.


  • @RonpfS said in Important Notice for Snort and Suricata Users on pfSense !!!:

    Maybe you could add this notice in future releases of Snort and Suricata.

    I am modifying the package code so that on future updates it will randomize the minutes value of the start time if it detects the user still has the setting at the old default of "00:05". And for green-field installs it will choose a random value for the minutes portion automatically. Hopefully that will take care of the issue going forward.


  • @bmeeks said in Important Notice for Snort and Suricata Users on pfSense !!!:

    @RonpfS said in Important Notice for Snort and Suricata Users on pfSense !!!:

    Maybe you could add this notice in future releases of Snort and Suricata.

    I am modifying the package code so that on future updates it will randomize the minutes value of the start time if it detects the user still has the setting at the old default of "00:05". And for green-field installs it will choose a random value for the minutes portion automatically. Hopefully that will take care of the issue going forward.

    Even better 👍


  • @bmeeks said in Important Notice for Snort and Suricata Users on pfSense !!!:

    I am modifying the package code so that on future updates it will randomize the minutes value of the start time if it detects the user still has the setting at the old default of "00:05". And for green-field installs it will choose a random value for the minutes portion automatically. Hopefully that will take care of the issue going forward.

    Another approach may be to add a random time period (say up to 60 seconds) to whatever is configured in the interface. With just about all pfsense instances being sync'd with NTP, you may still have a cluster of machines hitting the servers at a specific minute. Kicking off the update at random seconds past the minute may also assist in minimizing the impact.


  • @JohnKap said in Important Notice for Snort and Suricata Users on pfSense !!!:

    @bmeeks said in Important Notice for Snort and Suricata Users on pfSense !!!:

    I am modifying the package code so that on future updates it will randomize the minutes value of the start time if it detects the user still has the setting at the old default of "00:05". And for green-field installs it will choose a random value for the minutes portion automatically. Hopefully that will take care of the issue going forward.

    Another approach may be to add a random time period (say up to 60 seconds) to whatever is configured in the interface. With just about all pfsense instances being sync'd with NTP, you may still have a cluster of machines hitting the servers at a specific minute. Kicking off the update at random seconds past the minute may also assist in minimizing the impact.

    Thank you for the suggestion. I will keep it in mind.


  • Add a Pick Ramdom Time button 😜


  • @RonpfS said in Important Notice for Snort and Suricata Users on pfSense !!!:

    Add a Pick Ramdom Time button 😜

    Yeah, that's another option. I'm going to see how the two edits I've made work out. An update for Snort and Suricata should appear in a day or two with the changes. One randomizes the minutes portion of the update time if the user has the old default of "00:05". For brand new installs with no previously saved values, the system will choose a random minute to populate the field with and leave the default hour at 00.

    And as final bit of salt (to use a crypto term), I took @JohnKap's suggestion and the actual PHP module that performs the rules update will randomly sleep between 0 and 35 seconds when it is launched (whether by the cron task or by the user clicking Update on the UPDATES tab).


  • @bmeeks Bill, you're AWESOME!