Snort Problems



  • ??? Here is what it says when i try to update for 3 days now Please wait… You may only check for New Rules every 15 minutes... and this  Rules are released every month from snort.org. You may download the Rules at any time.
    What is going on and how do i fix it it was working fine ...



  • I'm having the same problem. I just upgraded to pfsense 1.2.3, and reinstalled the latest snort package. Ever since, it just says that "Please wait… You may only check for New Rules every 15 minutes...". Even though I'm waiting hours (or days) inbetween tries. The ruleset is empty.



  • Same story for me - I'm on 1.2.3 Snort Pkg 1.7 and all was fine prior to 2 days ago. At this point I can wait hours before attempting a rules update but get the same "please wait 15 minutes" message. Don't know but since Snort hasn't changed and at least a few users are reporting the same thing, sure sounds like something on the Snort server side has recently changed. If so wouldn't be the first time it's happened. Unlike one of the other Snort users in this thread, I do have an old(er) set of snort rules from past successful updates.

    I know James Dean has been seriously busy with work - not sure who else would be able to investigate? Too bad no way to individually select: update Emerging Threats to see if that at least pulls an update apart from the Snort rules update.



  • Actually, try using these instructions to manually update the rules.

    http://forum.pfsense.org/index.php?topic=15464.0 or

    http://doc.pfsense.org/index.php/Why_won't_snort_properly_download_rules%3F

    You'll have to use a shell but don't need to reboot at the end.  Just go to the snort page and click "save" for it to load the rules.

    I have the same issue - brand new installation of Pfsense using 2.8.4.1_5 pkg v.1.7 from the packages section.  I've tried every 3 hours today, and no go.  Let us know if someone needs logs or command output - I'm not much of a coder, but I can follow directions.  :)



  • I looked at the code, but things have changed so much since I last messed with the snort package, that it's not going to be worth my effort to screw around with. I'm just downloading the rules manually for now.



  • Tried updating the rules manually, and getting this error:

    snort[63763]: FATAL ERROR: Dynamic detection lib /usr/local/lib/snort/dynamicrules//lib_sfdynamic_example_rule.so 1.0 isn't compatible with the current dynamic engine library /usr/local/lib/snort/dynamicengine/libsf_engine.so 1.10. The dynamic detection lib is compiled with an older version of the dynamic engine.

    Any thoughts? I tried uninstalling/reinstalling, same thing. Might not be related.

    Edit: resolved by deleting /usr/local/lib/snort/dynamicrules/lib_sfdynamic_example_rule.so



  • I have the same probléme. the manuelly upgrade not work and snort don't work normally.
    Anybody can help me



  • @JustinHoMi:

    Tried updating the rules manually, and getting this error:

    snort[63763]: FATAL ERROR: Dynamic detection lib /usr/local/lib/snort/dynamicrules//lib_sfdynamic_example_rule.so 1.0 isn't compatible with the current dynamic engine library /usr/local/lib/snort/dynamicengine/libsf_engine.so 1.10. The dynamic detection lib is compiled with an older version of the dynamic engine.

    Any thoughts? I tried uninstalling/reinstalling, same thing. Might not be related.

    Edit: resolved by deleting /usr/local/lib/snort/dynamicrules/lib_sfdynamic_example_rule.so

    I have the exact same error.  I did the same thing and renamed/deleted the file.



  • :( I tryed the manual update and does not seem to work for me .What happened with snort it worked so well for so long and the last time i stopped using Pfsense was because of this same problem .I have no idea why people have to play with things when they work perfectly .
    Has anyone found out the problem yet .Snort still will not update and there is no errors ..



  • Thanks JustinHoMi,

    Worked perfectly! :)



  • I had the same problem.

    solved by changing to basic rules in Global Configuration tab



  • @nufer:

    I had the same problem.

    solved by changing to basic rules in Global Configuration tab

    Doesn't premium rules require a subscription? (And NOT just an Oinkcode=registration)



  • With the premium rules, I am noticing I am not able to update them and I keep getting errors of:

    Directory so_rules does not exist…

    Error copying so_rules...

    I use the basic and it updates fine.  I know snort came up with a new program two days ago.



  • Lost: Broke for me too but I manually fixed it in this thread.http://forum.pfsense.org/index.php/topic,24434.15.html



  • Hello all…

    I am running 1.2.3 with snort 2.8.5.3 v1.22 (upgraded two days ago after the so directory error appeared).

    I cannot update my rules when I have the "Premium Rules" box check (despite being a snort VRT subscriber). I had to select "Basic Rules" in order to get the updates.

    Right now I am not sure I am getting the most recent/up-to-date rules from snort, or if I am getting the 30-day (non-subscriber) rules. I know there are different URLs for the rule snapshots depending on if you are just registered or if you are a subscriber.

    I see others are having this problem, but I have not seen a definite fix. Any suggestion?



  • Good news! Just saw an updated snort package is out. Version 2.8.5.3 pkg v. 1.23 is working with Premium Rules. Not only was I able to download all the rules, but snort started with no errors when I enabled every category (with defaults) on the WAN interface.

    Thanks to the pfSense team for an awesome product!


Log in to reply