Snort Updating problems !!!

Here we go with the same old problem .Snort does not update again says Please wait… You may only check for New Rules every 15 minutes... The last time the updates were started 2010-Jun-28th-11:19-AM.
I see on the snort site there is a new file ?

simby

I have the same problem on pfsense 2.0. build 29.6.2010!!

tester_02

Looks like snort moved the file download location (see post on their site).
We will have to wait for jamesdean to update the package. Maybe in the future Jamesdean will add it so we can manually change it.
Sucks that snort is always changing things…

simby

or add options to manual update packet :)

tehtrk

@cdx304:

I don't understand why this is a regular thing .I think it is time to find a new security package than pfsense .Because at work we use another one and there is zero problems with snort on that one .the only thing they can't do on that one is unblock a ip .That is why i do not use it here on my network .
Fix thiis stupid problem or alot of us will be going else where for our security .This seems to be only on pfsense no other one has the problem .
If you guys want to know the Unified threat management software private message me .Because this is the third time in 6 weeks and it has to stop period .

No one is forcing you to use pfSense. You're free to use whatever you want. You could do what I and others are doing and try to find a solution with the ultimate goal being a patch that everyone benefits from. I guess you could threaten to leave, but that will only mean the problem will be fixed despite your ranting, not because of it. This isn't "demandware" ::)

jamesdean

Give me 20 min.

Were are not the only ones affected by this issue, other firewalls are down to.
The snort security mailing lists are flooded with complaints like this thread.

Snort changed the urls again and moved there files to amazon E2.

Every time I make a change I have to wait 15 min, that sucks.

James

tehtrk

First of all, pfSense != pfSense packages. If you're going to criticize something, at least criticize the right thing.

Secondly, pfSense is used by companies. If I were to pay for a support contract and not get any support, then I would be pissed. By itself, though, pfSense is free, freedom and beer-wise. The snort package maintainer uses his time to provide others with something that normally works quite well and is not a $3,299 proprietary add-on.

Also, companies can't run, they don't even have legs. That is as close as I am getting to your level of childishness.

Edit: Thank you jamesdean for all the work you are putting into this. I thought it sounded odd that our snort implementation was the only one affected…

XIII

pfSense is just the operating system.
snort is a package that is used by thousands of people, squid is another one.
Example of squid in use: have a blackberry? go to 192.168.100.1, you will see a squid error message.

Jamesdean is the person who takes the snort code and makes it work with pfsense, its not his fault that it got messed up.
just a couple of months ago clam av (part of the HAVP package) killed their older product, thousands of users were affected, not just pfsense (google it if you dont believe me.) it was fixed on pfsense in less than 30 minutes of a post about the problem. there were other systems that took longer to fix the issue.

also if something doesnt work in your implementation its one of two things all the time:
1. you did something to cause it
2. you're not the only one and its a known issue that is being worked on

I applaud all the package maintainers, most of whom donate their time and energy and ask for nothing in return.

I have watched you insult users time and time again. I understand your frustred but that is no excuse to insult users.

James

removed

jamesdean

Taking longer than expected, seems they moved the files to https server.
Have to figure out a way to do this.

hxxps://s3.amazonaws.com/snort.org/rules/20100525/snortrules-snapshot-2860.tar.gz?AWSAccessKeyId

Please be patient

James

XIII

Thanks for the update jamesdean, Take your time, no rush

cdx304, which "other" firewall do you keep referring to?
also maybe the snort maintainer for that product fixed the problem before you even noticed there was one or shortly there after. who knows it may be there job, like I said before, most package maintainers donate their time, they have other lives and jobs. Dont like that its not working, and dont want to wait, fix it yourself, not hard to do or to learn how to do, just takes time and patience, thats the beauty of opensource.

chowtamah

I praise the James for his way of participating in this discussion.

He is my Hero ::). Well done James.

darklogic

Same issue. As always, thanks James. I was looking at snorts website and they indicate under their VRT to change your oinkmaster.conf

Oinkcode
Downloading with your Oinkcode
Important Note

We are changing the way we publish rules. In June 2010 we stopped offering rules in the "snortrules-snapshot-CURRENT" format. Instead, rules are released for specific versions of Snort. You will be responsible for downloading the correct rules release for your version of Snort. The new versioning mechanism will require a four digit version in the file name. For the Subscriber and Registered releases of Snort 2.8.6.0 and Snort 2.8.5.3, the download links would look as follows:

Configuring Oinkmaster
In order to use Oinkmaster to update Snort with VRT rules you must edit oinkmaster.conf.

In the oinkmaster.conf modify "url" to:

url = http://www.snort.org/pub-bin/oinkmaster.cgi/<oinkcode here="">/<filename></filename></oinkcode>

darklogic

I hope my last post helps.

jamesdean

I wish it was as easy as pointing to a url.

url = http://www.snort.org/pub-bin/oinkmaster.cgi/<oinkcode here="">/ <filename>The file you get from that url you posted redirects to a https server.

Users on the snort.org mail-lists are having trouble with that redirect.
Suggested fix is to install a perl mod that understands https.
I am trying to avoid using Oinkmaster perl script.

I'm trying to do this in pure php script.

While I am hear might as well rewrite the whole "update tab" to include snort GUI updates to.
I been wanting to do this for a long time, I guess this is a good thing for us.

James

@darklogic:

Same issue. As always, thanks James. I was looking at snorts website and they indicate under their VRT to change your oinkmaster.conf

Oinkcode
Downloading with your Oinkcode
Important Note

We are changing the way we publish rules. In June 2010 we stopped offering rules in the "snortrules-snapshot-CURRENT" format. Instead, rules are released for specific versions of Snort. You will be responsible for downloading the correct rules release for your version of Snort. The new versioning mechanism will require a four digit version in the file name. For the Subscriber and Registered releases of Snort 2.8.6.0 and Snort 2.8.5.3, the download links would look as follows:

Configuring Oinkmaster
In order to use Oinkmaster to update Snort with VRT rules you must edit oinkmaster.conf.

In the oinkmaster.conf modify "url" to:

url = http://www.snort.org/pub-bin/oinkmaster.cgi/<oinkcode here="">/ <filename></filename></oinkcode></filename></oinkcode>

DigitalJer

Thanks JamesDean.

I appreciate your class-act approach!

darklogic

Same here, I appreciate everything as well. 8)

Rune

I figured I'd post this here in case people want to update their definitions manually. I used this post but updated the instructions to the current version.
http://forum.pfsense.org/index.php/topic,15464.msg81197.html#msg81197

1- Download the rules manually by logging to the shell and type this
fetch http://www.snort.org/pub-bin/oinkmaster.cgi/Oinkcode/snortrules-snapshot-2860.tar.gz
2 - Make temp directory and copy rules
mkdir /tmp/temp
cp snortrules-snapshot-2860.tar.gz /tmp/temp
3- extract the file with this command
tar -zxvf /tmp/temp/snortrules-snapshot-2860.tar.gz
4- Find interface name - it will be in a snort_#_interface format
ls /usr/local/etc/snort/
5- copy rules to rules directory
cp tmp/temp/rules/. /usr/local/etc/snort/interfacename/rules
6- Remove temp directory
rm -r /tmp/temp
7 - Restart Snort. This did it for me on a clean install.

Hope this helps someone out.

simby

Jammes, can you add options to manual update snort packet? :)

Has the package been fixed .I had to do a reinstall because of drive faulty hard drive .I see in the packeage list the snort package has the same number ?

@Rune:

I figured I'd post this here in case people want to update their definitions manually. I used this post but updated the instructions to the current version.
http://forum.pfsense.org/index.php/topic,15464.msg81197.html#msg81197

1- Download the rules manually by logging to the shell and type this
fetch http://www.snort.org/pub-bin/oinkmaster.cgi/Oinkcode/snortrules-snapshot-2860.tar.gz
2 - Make temp directory and copy rules
mkdir /tmp/temp
cp snortrules-snapshot-2860.tar.gz /tmp/temp
3- extract the file with this command
tar -zxvf /tmp/temp/snortrules-snapshot-2860.tar.gz
4- Find interface name - it will be in a snort_#_interface format
ls /usr/local/etc/snort/
5- copy rules to rules directory
cp tmp/temp/rules/. /usr/local/etc/snort/interfacename/rules
6- Remove temp directory
rm -r /tmp/temp
7 - Restart Snort. This did it for me on a clean install.

Hope this helps someone out.

I tried the copy comand and it does not work for me .Everything else worked .

thanks for the help

LostInIgnorance

@cdx304:

@Rune:

I figured I'd post this here in case people want to update their definitions manually. I used this post but updated the instructions to the current version.
http://forum.pfsense.org/index.php/topic,15464.msg81197.html#msg81197

1- Download the rules manually by logging to the shell and type this
fetch http://www.snort.org/pub-bin/oinkmaster.cgi/Oinkcode/snortrules-snapshot-2860.tar.gz
2 - Make temp directory and copy rules
mkdir /tmp/temp
cp snortrules-snapshot-2860.tar.gz /tmp/temp
3- extract the file with this command
tar -zxvf /tmp/temp/snortrules-snapshot-2860.tar.gz
4- Find interface name - it will be in a snort_#_interface format
ls /usr/local/etc/snort/
5- copy rules to rules directory
cp tmp/temp/rules/. /usr/local/etc/snort/interfacename/rules
6- Remove temp directory
rm -r /tmp/temp
7 - Restart Snort. This did it for me on a clean install.

Hope this helps someone out.

I tried the copy comand and it does not work for me .Everything else worked .

thanks for the help

I ended up having to use this line instead to copy the files. Worked for me, but only an expert can tell me if I actually did it correctly. Still kinda new to all of this. ;)

cp rules/. /usr/local/etc/snort/interfacename/rules

Thanks again JamesDean for everything!! :D

Rune

Yeah. You did it correctly. I was just looking back at what I had posted and realized I had put the wrong thing. Sorry. It was late when I posted this.

jnorell

James, if you're rewriting parts of the updating anyways, I'd like to +1 simby's request of adding a manual update feature (ie. http interface to upload and install a snort ruleset .tgz). If that would get everyone by in a pinch if there are similar future changes to the download procedure.

Big thanks for your work on this package!

g4m3c4ck

Well I am glad they are releasing rules for specific versions of snort now instead of coming out with a new version of snort and breaking the rules for the old versions. That alone will solve most of the headaches when dealing with snort.

That being said good job as always JD! And for those that continue to bitch about a FREE product that kicks ass of most alternatives you have to PAY for…... Then go BUY something else!

People who can't comprend how to navigate and manipulate file systems should not be messing around with ANYONES network let alone their firewall/router. But hey that is just my opinion….

@LostInIgnorance:

@cdx304:

@Rune:

I figured I'd post this here in case people want to update their definitions manually. I used this post but updated the instructions to the current version.
http://forum.pfsense.org/index.php/topic,15464.msg81197.html#msg81197

1- Download the rules manually by logging to the shell and type this
fetch http://www.snort.org/pub-bin/oinkmaster.cgi/Oinkcode/snortrules-snapshot-2860.tar.gz
2 - Make temp directory and copy rules
mkdir /tmp/temp
cp snortrules-snapshot-2860.tar.gz /tmp/temp
3- extract the file with this command
tar -zxvf /tmp/temp/snortrules-snapshot-2860.tar.gz
4- Find interface name - it will be in a snort_#_interface format
ls /usr/local/etc/snort/
5- copy rules to rules directory
cp tmp/temp/rules/. /usr/local/etc/snort/interfacename/rules
6- Remove temp directory
rm -r /tmp/temp
7 - Restart Snort. This did it for me on a clean install.

Hope this helps someone out.

I tried the copy comand and it does not work for me .Everything else worked .

thanks for the help

I ended up having to use this line instead to copy the files. Worked for me, but only an expert can tell me if I actually did it correctly. Still kinda new to all of this. ;)

cp rules/. /usr/local/etc/snort/interfacename/rules

Thanks again JamesDean for everything!! :D

I tried this method and still does not work I hope this package gets fixed beause running my cisco box is getting real old !!

simby

any news?

darklogic

When I discovered last week there were some issues with updating. I was doing everything I could to get SNORT to install updates. I even deinstalled an reinstalled the packaged before I checked the fourms and found that others were having issues as well. I am noticing that SNORT is not releasing blocked IP's after 1 hour, which is what I have it set to release blocked offenders. I never had the issue before until after the uninstall and reinstall of the package. I tried the uninstall and reinstall of the package again and get the same results.

Any ideas on what this is about? Has anyone else notice this or have this issue?

Thanks,

Matt

darklogic

Note to my last post. I am only able to run the emerging threats because I can't get an update or download of the SNORT categories or premium scription rules I pay for through VRT. I know you can manaually update, but I have not really had the time to go through the write up posted to doo it. I am just throwing this out there for what it may be worth.

Thanks,

Matt

simby

any news forom James? ???

SnoSalmon

Hey guys,

New to this forum, new to PFSense and even new to Linux, but not a noob.
Thankfully I found this thread, I've got PFSense humming along (together with Squid and Lightsquid, BandwidthD etc) and installed Snort last night. Spent AGES trying to get the rules to auto download.
I was convinced I had stuffed something up myself!

I'll keep checking this thread for a solution. Hopefully I don't need to manually go copying things from a shell as I wouldn't have a clue and am likely to bugger something up :)

Anyway, fingers crossed there will be a patch soon!

tessen

Noticed this problem with rules updates, is there a way to manually copy rules, If I download them to my desktop machine where I should put them under PFsense, just copy the stuff in package in /usr/local/etc/snort/rules ? or something else?

DigitalJer

@tessen:

… is there a way to manually copy rules

…mentioned earlier in this thread.

http://bit.ly/9c29CI

@tessen:

Noticed this problem with rules updates, is there a way to manually copy rules, If I download them to my desktop machine where I should put them under PFsense, just copy the stuff in package in /usr/local/etc/snort/rules ? or something else?

Be ok if that would work for me i would not mind that .But in puddy at the last step says that directory does not exsist .Than what do you do !!!!????

DigitalJer

The last step, 7, says to restart Snort, but I assume you mean something else ?

pneumatic

Can someone tell me what file contains the URL download information? I'd like to run snort but I can't get the update.

DigitalJer

@pneumatic:

Can someone tell me what file contains the URL download information?

The URL to the file was mentioned earlier in this thread. Check the link in my post 4 posts up.

pneumatic

I know what the proper URL is. I am wondering what file inside my pfsense installation needs to be modified in order to automatically update the rules.

Rune

If you read the thread from the beginning you will know that it is not a simple matter of just changing a URL. If it was the programmer would have already fixed it. It has to do with the way the updates are coming from the cloud. For right now just sit back, relax, update manually, or just use emerging threats, and wait for the programmer to update. On the note of the how-to I will attempt to actually create one this weekend. Just been a little busy at work. Do I need screenshots too?

@Rune:

If you read the thread from the beginning you will know that it is not a simple matter of just changing a URL. If it was the programmer would have already fixed it. It has to do with the way the updates are coming from the cloud. For right now just sit back, relax, update manually, or just use emerging threats, and wait for the programmer to update. On the note of the how-to I will attempt to actually create one this weekend. Just been a little busy at work. Do I need screenshots too?

Well the screen shots would be a good idea .I just have no idea what i am doing for the manual updating not to work .I tried it over ten times and gave up and installed my standby software .