Strange behavior on "Update Your Rules Set" at Snort Service

Daniel1972

Hi.
Iam having a strange behavior at Update Rules in Snort Service.

Iam running pfSense ver. 2.4.4 with Snort 3.2.9.9 package.

I was trying to update rules, so I press Update Rules button at "Update Your Rule Set" after a while, Last Update still report the prior last update date (Aug-16 2019).

So, I check my Oinkmaster code and my snort account, it's the free subscription but it's working Ok.

Then I press "Force Update" and after wait a while, Last Update banner sitll report the same date as before (Aug-16 2019)

I decided to restart Snort Service. Same Result.

So I check the forum in order to get a manual process to do, but when a open /usr/local/etc/snort and /usr/local/etc/snort/rules I noticed that a lot of files in both folders are modified today.

So I get lost.

The only thing I didn't try yet is restart snort.

Any clue or hint?

Thanks!

bmeeks

You are not running the current version of pfSense nor are you running the current version of Snort. So both of those conditions are potential problems.

First, update your pfSense firewall to the latest 2.4.5_p1 version that should be showing as available on the Dashboard.

Running the pfSense update may result in the automatic upgrade of Snort to the latest 3.2.9.14_1 version. If not, then you can update Snort under SYSTEM > PACKAGE MANAGER. But DO NOT attempt to update Snort until you have updated pfSense. If you try to update Snort first, you will break your installation badly!

If you want to see why your rules update is failing, you will need to examine the update log available on the UPDATES tab. There is no manual CLI method for updating Snort rules. You must do that from the GUI only.

Daniel1972

Thanks bmeeks.

Iam gonna upgrade and see what happends.

This is my production firewall, so it's a critical task, probably I'll take my time to do it.

Thanks again.

bmeeks

@Daniel1972 said in Strange behavior on "Update Your Rules Set" at Snort Service:

Thanks bmeeks.

Iam gonna upgrade and see what happends.

This is my production firewall, so it's a critical task, probably I'll take my time to do it.

Thanks again.

Keeping your firewall updated is very important to overall network security. Older software versions can have unpatched vulnerabilities.

I don't know what else is installed on your firewall, but the following things are common causes of rule download issues:

1. Using a RAM disk, especially for /tmp. Snort needs 256 MB of free space in /tmp to safely download, extract and install updated rules. Many users configure a RAM disk and wind up shooting themselves in the foot because the disk size is too small and they run out of space during the rules update. This does not show up on the Dashboard, though, because at the end of an update Snort will cleanup after itself. So any space that was in use is returned. You can check the pfSense system log to see if there are any disk-space related errors.

2. Running Squid or any of the Squid related packages. These frequently interfere with the Snort rules downloads.

3. There have been reports of some IP lists used in pfBlockerNG causing problems, particularly if the list contains any AWS IP space. The Snort team hosts their rules files on Amazon Web Services IP space.