Using Suricata SID Mgmt

newUser2pfSense

Doh...Again, no one has ever accused me of being smart .

I checked the box at the top of SID Mgmt, chose the interfaces to Rebuild and Save, restarted the interfaces and then checked the Active Rules. All are now set on the action to Drop. As well, I can now view the sid_changes.log file.

Nice!!! Whew. I'm so glad this works.

newUser2pfSense

Ok, so now the Suricata Updates are displaying "Not Downloaded".

So I chose to Force update and a half hour later, the updates are still not downloaded. In the Status > System Logs > System > General, I'm seeing -

[Suricata] There is a new set of Emerging Threats Open rules posted. Downloading emerging.rules.tar.gz...
[Suricata] Emerging Threats Open rules file update downloaded successfully.
[Suricata] There is a new set of Snort rules posted. Downloading snortrules-snapshot-29151.tar.gz...

The Snort rules is where it looks to have stopped.

Interestingly though, more than a half hour later, the updates still appear to be downloading -

Not sure if this is normal or not.

newUser2pfSense

So a hard restart of pfSense resolved the update issue. I think I'm out of the weeds now.

Thanks Bill.

bmeeks

@newUser2pfSense said in Using Suricata SID Mgmt:

So a hard restart of pfSense resolved the update issue. I think I'm out of the weeds now.

Thanks Bill.

You're not 100% out of the woods. You need to change your configuration to pull down the most current Snort 2.9.x rule set. That 2.9.15.1 version is now outdated. Read the information in this thread to understand why and how you must manually configure Suricata to obtain the most current Snort rules: https://forum.netgate.com/topic/110325/using-snort-vrt-rules-with-suricata-and-keeping-them-updated.

newUser2pfSense

Thanks for the link Bill. Read it all and will keep in mind to check every 30 days for any Snort rule updates. I changed the 2.9.15.1 version of the Snort rules to snortrules-snapshot-29170.tar.gz. Suricata updated with no issues.