Snort Updating problems !!!

A Former User · Jul 1, 2010, 1:47 AM

Here we go with the same old problem .Snort does not update again says Please wait… You may only check for New Rules every 15 minutes... The last time the updates were started 2010-Jun-28th-11:19-AM.
I see on the snort site there is a new file ?

simby · Jul 1, 2010, 6:32 AM

I have the same problem on pfsense 2.0. build 29.6.2010!!

tester_02 · Jul 1, 2010, 6:33 AM

Looks like snort moved the file download location (see post on their site).
We will have to wait for jamesdean to update the package. Maybe in the future Jamesdean will add it so we can manually change it.
Sucks that snort is always changing things…

simby · Jul 1, 2010, 7:17 AM

or add options to manual update packet :)

tehtrk · Jul 1, 2010, 6:48 PM

@cdx304:

I don't understand why this is a regular thing .I think it is time to find a new security package than pfsense .Because at work we use another one and there is zero problems with snort on that one .the only thing they can't do on that one is unblock a ip .That is why i do not use it here on my network .
Fix thiis stupid problem or alot of us will be going else where for our security .This seems to be only on pfsense no other one has the problem .
If you guys want to know the Unified threat management software private message me .Because this is the third time in 6 weeks and it has to stop period .

No one is forcing you to use pfSense. You're free to use whatever you want. You could do what I and others are doing and try to find a solution with the ultimate goal being a patch that everyone benefits from. I guess you could threaten to leave, but that will only mean the problem will be fixed despite your ranting, not because of it. This isn't "demandware" ::)

jamesdean · Jul 1, 2010, 11:39 PM

Give me 20 min.

Were are not the only ones affected by this issue, other firewalls are down to.
The snort security mailing lists are flooded with complaints like this thread.

Snort changed the urls again and moved there files to amazon E2.

Every time I make a change I have to wait 15 min, that sucks.

James

tehtrk · Jul 1, 2010, 10:41 PM

First of all, pfSense != pfSense packages. If you're going to criticize something, at least criticize the right thing.

Secondly, pfSense is used by companies. If I were to pay for a support contract and not get any support, then I would be pissed. By itself, though, pfSense is free, freedom and beer-wise. The snort package maintainer uses his time to provide others with something that normally works quite well and is not a $3,299 proprietary add-on.

Also, companies can't run, they don't even have legs. That is as close as I am getting to your level of childishness.

Edit: Thank you jamesdean for all the work you are putting into this. I thought it sounded odd that our snort implementation was the only one affected…

XIII · Jul 1, 2010, 10:47 PM

pfSense is just the operating system.
snort is a package that is used by thousands of people, squid is another one.
Example of squid in use: have a blackberry? go to 192.168.100.1, you will see a squid error message.

Jamesdean is the person who takes the snort code and makes it work with pfsense, its not his fault that it got messed up.
just a couple of months ago clam av (part of the HAVP package) killed their older product, thousands of users were affected, not just pfsense (google it if you dont believe me.) it was fixed on pfsense in less than 30 minutes of a post about the problem. there were other systems that took longer to fix the issue.

also if something doesnt work in your implementation its one of two things all the time:
1. you did something to cause it
2. you're not the only one and its a known issue that is being worked on

I applaud all the package maintainers, most of whom donate their time and energy and ask for nothing in return.

A Former User · Jul 2, 2010, 12:25 AM

I have watched you insult users time and time again. I understand your frustred but that is no excuse to insult users.

James

removed

jamesdean · Jul 2, 2010, 12:58 AM

Taking longer than expected, seems they moved the files to https server.
Have to figure out a way to do this.

hxxps://s3.amazonaws.com/snort.org/rules/20100525/snortrules-snapshot-2860.tar.gz?AWSAccessKeyId

Please be patient

James

XIII · Jul 2, 2010, 1:04 AM

Thanks for the update jamesdean, Take your time, no rush

cdx304, which "other" firewall do you keep referring to?
also maybe the snort maintainer for that product fixed the problem before you even noticed there was one or shortly there after. who knows it may be there job, like I said before, most package maintainers donate their time, they have other lives and jobs. Dont like that its not working, and dont want to wait, fix it yourself, not hard to do or to learn how to do, just takes time and patience, thats the beauty of opensource.

chowtamah · Jul 2, 2010, 6:18 AM

I praise the James for his way of participating in this discussion.

He is my Hero ::). Well done James.

darklogic · Jul 2, 2010, 3:59 PM

Same issue. As always, thanks James. I was looking at snorts website and they indicate under their VRT to change your oinkmaster.conf

Oinkcode
Downloading with your Oinkcode
Important Note

We are changing the way we publish rules. In June 2010 we stopped offering rules in the "snortrules-snapshot-CURRENT" format. Instead, rules are released for specific versions of Snort. You will be responsible for downloading the correct rules release for your version of Snort. The new versioning mechanism will require a four digit version in the file name. For the Subscriber and Registered releases of Snort 2.8.6.0 and Snort 2.8.5.3, the download links would look as follows:

Configuring Oinkmaster
In order to use Oinkmaster to update Snort with VRT rules you must edit oinkmaster.conf.

In the oinkmaster.conf modify "url" to:

url = http://www.snort.org/pub-bin/oinkmaster.cgi/<oinkcode here="">/<filename></filename></oinkcode>

darklogic · Jul 2, 2010, 3:59 PM

I hope my last post helps.

jamesdean · Jul 2, 2010, 4:36 PM

I wish it was as easy as pointing to a url.

url = http://www.snort.org/pub-bin/oinkmaster.cgi/<oinkcode here="">/ <filename>The file you get from that url you posted redirects to a https server.

Users on the snort.org mail-lists are having trouble with that redirect.
Suggested fix is to install a perl mod that understands https.
I am trying to avoid using Oinkmaster perl script.

I'm trying to do this in pure php script.

While I am hear might as well rewrite the whole "update tab" to include snort GUI updates to.
I been wanting to do this for a long time, I guess this is a good thing for us.

James

@darklogic:

Same issue. As always, thanks James. I was looking at snorts website and they indicate under their VRT to change your oinkmaster.conf

Oinkcode
Downloading with your Oinkcode
Important Note

We are changing the way we publish rules. In June 2010 we stopped offering rules in the "snortrules-snapshot-CURRENT" format. Instead, rules are released for specific versions of Snort. You will be responsible for downloading the correct rules release for your version of Snort. The new versioning mechanism will require a four digit version in the file name. For the Subscriber and Registered releases of Snort 2.8.6.0 and Snort 2.8.5.3, the download links would look as follows:

Configuring Oinkmaster
In order to use Oinkmaster to update Snort with VRT rules you must edit oinkmaster.conf.

In the oinkmaster.conf modify "url" to:

url = http://www.snort.org/pub-bin/oinkmaster.cgi/<oinkcode here="">/ <filename></filename></oinkcode></filename></oinkcode>

DigitalJer · Jul 2, 2010, 4:58 PM

Thanks JamesDean.

I appreciate your class-act approach!

darklogic · Jul 2, 2010, 7:08 PM

Same here, I appreciate everything as well. 8)

Rune · Jul 3, 2010, 7:02 AM

I figured I'd post this here in case people want to update their definitions manually. I used this post but updated the instructions to the current version.
http://forum.pfsense.org/index.php/topic,15464.msg81197.html#msg81197

1- Download the rules manually by logging to the shell and type this
fetch http://www.snort.org/pub-bin/oinkmaster.cgi/Oinkcode/snortrules-snapshot-2860.tar.gz
2 - Make temp directory and copy rules
mkdir /tmp/temp
cp snortrules-snapshot-2860.tar.gz /tmp/temp
3- extract the file with this command
tar -zxvf /tmp/temp/snortrules-snapshot-2860.tar.gz
4- Find interface name - it will be in a snort_#_interface format
ls /usr/local/etc/snort/
5- copy rules to rules directory
cp tmp/temp/rules/. /usr/local/etc/snort/interfacename/rules
6- Remove temp directory
rm -r /tmp/temp
7 - Restart Snort. This did it for me on a clean install.

Hope this helps someone out.

simby · Jul 3, 2010, 8:15 AM

Jammes, can you add options to manual update snort packet? :)

A Former User · Jul 4, 2010, 12:43 AM

Has the package been fixed .I had to do a reinstall because of drive faulty hard drive .I see in the packeage list the snort package has the same number ?