Snort Updating problems !!!
- 
 I praise the James for his way of participating in this discussion. He is my Hero ::). Well done James. 
- 
 Same issue. As always, thanks James. I was looking at snorts website and they indicate under their VRT to change your oinkmaster.conf Oinkcode 
 Downloading with your Oinkcode
 Important NoteWe are changing the way we publish rules. In June 2010 we stopped offering rules in the "snortrules-snapshot-CURRENT" format. Instead, rules are released for specific versions of Snort. You will be responsible for downloading the correct rules release for your version of Snort. The new versioning mechanism will require a four digit version in the file name. For the Subscriber and Registered releases of Snort 2.8.6.0 and Snort 2.8.5.3, the download links would look as follows: Configuring Oinkmaster 
 In order to use Oinkmaster to update Snort with VRT rules you must edit oinkmaster.conf.In the oinkmaster.conf modify "url" to: url = http://www.snort.org/pub-bin/oinkmaster.cgi/<oinkcode here="">/<filename></filename></oinkcode> 
- 
 I hope my last post helps. 
- 
 I wish it was as easy as pointing to a url. url = http://www.snort.org/pub-bin/oinkmaster.cgi/<oinkcode here="">/ <filename>The file you get from that url you posted redirects to a https server. Users on the snort.org mail-lists are having trouble with that redirect. 
 Suggested fix is to install a perl mod that understands https.
 I am trying to avoid using Oinkmaster perl script.I'm trying to do this in pure php script. While I am hear might as well rewrite the whole "update tab" to include snort GUI updates to. 
 I been wanting to do this for a long time, I guess this is a good thing for us.James Same issue. As always, thanks James. I was looking at snorts website and they indicate under their VRT to change your oinkmaster.conf Oinkcode 
 Downloading with your Oinkcode
 Important NoteWe are changing the way we publish rules. In June 2010 we stopped offering rules in the "snortrules-snapshot-CURRENT" format. Instead, rules are released for specific versions of Snort. You will be responsible for downloading the correct rules release for your version of Snort. The new versioning mechanism will require a four digit version in the file name. For the Subscriber and Registered releases of Snort 2.8.6.0 and Snort 2.8.5.3, the download links would look as follows: Configuring Oinkmaster 
 In order to use Oinkmaster to update Snort with VRT rules you must edit oinkmaster.conf.In the oinkmaster.conf modify "url" to: url = http://www.snort.org/pub-bin/oinkmaster.cgi/<oinkcode here="">/ <filename></filename></oinkcode></filename></oinkcode> 
- 
 Thanks JamesDean. I appreciate your class-act approach! 
- 
 Same here, I appreciate everything as well. 8) 
- 
 I figured I'd post this here in case people want to update their definitions manually. I used this post but updated the instructions to the current version. 
 http://forum.pfsense.org/index.php/topic,15464.msg81197.html#msg811971- Download the rules manually by logging to the shell and type this 
 fetch http://www.snort.org/pub-bin/oinkmaster.cgi/Oinkcode/snortrules-snapshot-2860.tar.gz
 2 - Make temp directory and copy rules
 mkdir /tmp/temp
 cp snortrules-snapshot-2860.tar.gz /tmp/temp
 3- extract the file with this command
 tar -zxvf /tmp/temp/snortrules-snapshot-2860.tar.gz
 4- Find interface name - it will be in a snort_#_interface format
 ls /usr/local/etc/snort/
 5- copy rules to rules directory
 cp tmp/temp/rules/. /usr/local/etc/snort/interfacename/rules
 6- Remove temp directory
 rm -r /tmp/temp
 7 - Restart Snort. This did it for me on a clean install.Hope this helps someone out. 
- 
 Jammes, can you add options to manual update snort packet? :) 
- 
 Has the package been fixed .I had to do a reinstall because of drive faulty hard drive .I see in the packeage list the snort package has the same number ? 
- 
 I figured I'd post this here in case people want to update their definitions manually. I used this post but updated the instructions to the current version. 
 http://forum.pfsense.org/index.php/topic,15464.msg81197.html#msg811971- Download the rules manually by logging to the shell and type this 
 fetch http://www.snort.org/pub-bin/oinkmaster.cgi/Oinkcode/snortrules-snapshot-2860.tar.gz
 2 - Make temp directory and copy rules
 mkdir /tmp/temp
 cp snortrules-snapshot-2860.tar.gz /tmp/temp
 3- extract the file with this command
 tar -zxvf /tmp/temp/snortrules-snapshot-2860.tar.gz
 4- Find interface name - it will be in a snort_#_interface format
 ls /usr/local/etc/snort/
 5- copy rules to rules directory
 cp tmp/temp/rules/. /usr/local/etc/snort/interfacename/rules
 6- Remove temp directory
 rm -r /tmp/temp
 7 - Restart Snort. This did it for me on a clean install.Hope this helps someone out. I tried the copy comand and it does not work for me .Everything else worked . thanks for the help 
- 
 @cdx304: I figured I'd post this here in case people want to update their definitions manually. I used this post but updated the instructions to the current version. 
 http://forum.pfsense.org/index.php/topic,15464.msg81197.html#msg811971- Download the rules manually by logging to the shell and type this 
 fetch http://www.snort.org/pub-bin/oinkmaster.cgi/Oinkcode/snortrules-snapshot-2860.tar.gz
 2 - Make temp directory and copy rules
 mkdir /tmp/temp
 cp snortrules-snapshot-2860.tar.gz /tmp/temp
 3- extract the file with this command
 tar -zxvf /tmp/temp/snortrules-snapshot-2860.tar.gz
 4- Find interface name - it will be in a snort_#_interface format
 ls /usr/local/etc/snort/
 5- copy rules to rules directory
 cp tmp/temp/rules/. /usr/local/etc/snort/interfacename/rules
 6- Remove temp directory
 rm -r /tmp/temp
 7 - Restart Snort. This did it for me on a clean install.Hope this helps someone out. I tried the copy comand and it does not work for me .Everything else worked . thanks for the help I ended up having to use this line instead to copy the files. Worked for me, but only an expert can tell me if I actually did it correctly. Still kinda new to all of this. ;) cp rules/. /usr/local/etc/snort/interfacename/rules Thanks again JamesDean for everything!! :D 
- 
 Yeah. You did it correctly. I was just looking back at what I had posted and realized I had put the wrong thing. Sorry. It was late when I posted this. 
- 
 James, if you're rewriting parts of the updating anyways, I'd like to +1 simby's request of adding a manual update feature (ie. http interface to upload and install a snort ruleset .tgz). If that would get everyone by in a pinch if there are similar future changes to the download procedure. Big thanks for your work on this package! 
- 
 Well I am glad they are releasing rules for specific versions of snort now instead of coming out with a new version of snort and breaking the rules for the old versions. That alone will solve most of the headaches when dealing with snort. That being said good job as always JD! And for those that continue to bitch about a FREE product that kicks ass of most alternatives you have to PAY for…... Then go BUY something else! People who can't comprend how to navigate and manipulate file systems should not be messing around with ANYONES network let alone their firewall/router. But hey that is just my opinion…. 
- 
 @cdx304: I figured I'd post this here in case people want to update their definitions manually. I used this post but updated the instructions to the current version. 
 http://forum.pfsense.org/index.php/topic,15464.msg81197.html#msg811971- Download the rules manually by logging to the shell and type this 
 fetch http://www.snort.org/pub-bin/oinkmaster.cgi/Oinkcode/snortrules-snapshot-2860.tar.gz
 2 - Make temp directory and copy rules
 mkdir /tmp/temp
 cp snortrules-snapshot-2860.tar.gz /tmp/temp
 3- extract the file with this command
 tar -zxvf /tmp/temp/snortrules-snapshot-2860.tar.gz
 4- Find interface name - it will be in a snort_#_interface format
 ls /usr/local/etc/snort/
 5- copy rules to rules directory
 cp tmp/temp/rules/. /usr/local/etc/snort/interfacename/rules
 6- Remove temp directory
 rm -r /tmp/temp
 7 - Restart Snort. This did it for me on a clean install.Hope this helps someone out. I tried the copy comand and it does not work for me .Everything else worked . thanks for the help I ended up having to use this line instead to copy the files. Worked for me, but only an expert can tell me if I actually did it correctly. Still kinda new to all of this. ;) cp rules/. /usr/local/etc/snort/interfacename/rules Thanks again JamesDean for everything!! :D I tried this method and still does not work I hope this package gets fixed beause running my cisco box is getting real old !! 
- 
 any news? 
- 
 When I discovered last week there were some issues with updating. I was doing everything I could to get SNORT to install updates. I even deinstalled an reinstalled the packaged before I checked the fourms and found that others were having issues as well. I am noticing that SNORT is not releasing blocked IP's after 1 hour, which is what I have it set to release blocked offenders. I never had the issue before until after the uninstall and reinstall of the package. I tried the uninstall and reinstall of the package again and get the same results. Any ideas on what this is about? Has anyone else notice this or have this issue? Thanks, Matt 
- 
 Note to my last post. I am only able to run the emerging threats because I can't get an update or download of the SNORT categories or premium scription rules I pay for through VRT. I know you can manaually update, but I have not really had the time to go through the write up posted to doo it. I am just throwing this out there for what it may be worth. Thanks, Matt 
- 
 any news forom James? ??? 
- 
 Hey guys, New to this forum, new to PFSense and even new to Linux, but not a noob. 
 Thankfully I found this thread, I've got PFSense humming along (together with Squid and Lightsquid, BandwidthD etc) and installed Snort last night. Spent AGES trying to get the rules to auto download.
 I was convinced I had stuffed something up myself!I'll keep checking this thread for a solution. Hopefully I don't need to manually go copying things from a shell as I wouldn't have a clue and am likely to bugger something up :) Anyway, fingers crossed there will be a patch soon! 
