SNORT UPDATE ISSUE WITH DISABLED RULES



  • I have noticed that every system I have running SNORT 2.8.6 pkg. v 1.27 will not update automatically. I have premium VRT and set to update every 1 days, but it seems to not update unless I do a manual update for every system.

    I also noticed that after the update it will re-enable every rule I manually disabled even though during the update process it states it is enabling disabling your rules configuration.

    This will become a pain if you have to go back and remember every rule you disabled, to disable it again after doing a simple rules update.

    I can reproduce this issue on like 10 different machines. If it is not an issue, what am I doing wrong.

    Is anyone else getting this?

    Thanks,



  • I have the exact same issue. It was a concern to me until I installed country block. Now I hardly ever get hit anymore.



  • I also have Country Block installed and running, great package I must add. I am still getting hit many times, but they are all from within the US. I like the SNORT package, but I am also wrestling with it all the time to keep it running for me correctly. I would like to see the SNORT package become part of the base install of pfsense with a preconfigured category and rules list that covers and protects from most all known attacks, but also give people the ability to make changes to the preconfigured setup on the fly if need be.

    I know JamesDean has put a lot of good work in supporting and developing this package. I just hope a lot of these bugs get worked out for the upcoming 2.0 version. Aside from the rules issue. I have an issue where it will block my IPsec tunnels when transferring streaming DVR content accross the tunnels. The thing that made this so hard to deal with is even if you white listed the IP's, host, ect, and or suppression rules, there was no way to stop it. So I had to change the way the content was being viewed. I prefered to have all streams going over the tunnels like I have in the past because of not being exsposed for attack, but I like the SNORT package to much to give it up, so I created a firewall rule that would only allow connection from a certain port and public IP.

    Other issues I noticed is the preprocessor that detects ports scans. I don't know about you, but I had to disable this because when checked on it would block almost everything that touched our WAN interface such as ping or ICMP echo reply even though the rules were disabled in the categories?



  • Well all them issues are dealing with are the nature of the beast when dealing with snort. The people that actually develop it are the ones that usually break it for pfsense when they make changes but you can't blame them either. They are trying to stay on the cutting edge of IDS/IPS.

    My point is the same thing will occur in 2.0 as it does in 1.2.3.

    As far is the portscan preprocessor goes I have it enabled. However, I only use emerging-scan.rules.



  • I understand what you mean. I personaly don't blame anyone for the hard work and efforts they do or put toward the open source project. It is easy for one to sit back and pick something apart than to actually deal with the programming ends and outs to have someone say hey here is a problem and oh here is another and another. I am sorry if my post came out that way and I did not mean it too.

    I really think a lot of the pfsense plateform and all the developer addons. I believe that if pfsense was to stay how they are but exspand to becoming a fully Unified Threat Management system. They without a doubt would be the perfect firewall solution.

    Thanks,

    Matt



  • I'll work on it tomorrow morning. This issue keeps hunting the package I may have to redo all that code.

    James



  • I just wanted to see where this issue is at on maybe a fix. Because everytime SNORT gets an update as it should, it will disable rules I enabled, and it will enable rules I disabled. Take for instance when using ICMP rules, I don't want to block ICMP ping, because this will block almost everything on the Internet and gets very annoying when using certain categories. I find myself saying the heck with it and simply disable the whole category list of rules just for the sake of a few rules causing issues everytime SNORT gets updates.

    This is making the package hard to work with when you have to redo all your setting manually after every update.

    Thanks for any help.


Log in to reply