Snort Updating problems !!!
-
I figured I'd post this here in case people want to update their definitions manually. I used this post but updated the instructions to the current version.
http://forum.pfsense.org/index.php/topic,15464.msg81197.html#msg811971- Download the rules manually by logging to the shell and type this
fetch http://www.snort.org/pub-bin/oinkmaster.cgi/Oinkcode/snortrules-snapshot-2860.tar.gz
2 - Make temp directory and copy rules
mkdir /tmp/temp
cp snortrules-snapshot-2860.tar.gz /tmp/temp
3- extract the file with this command
tar -zxvf /tmp/temp/snortrules-snapshot-2860.tar.gz
4- Find interface name - it will be in a snort_#_interface format
ls /usr/local/etc/snort/
5- copy rules to rules directory
cp tmp/temp/rules/. /usr/local/etc/snort/interfacename/rules
6- Remove temp directory
rm -r /tmp/temp
7 - Restart Snort. This did it for me on a clean install.Hope this helps someone out.
I tried the copy comand and it does not work for me .Everything else worked .
thanks for the help
-
@cdx304:
I figured I'd post this here in case people want to update their definitions manually. I used this post but updated the instructions to the current version.
http://forum.pfsense.org/index.php/topic,15464.msg81197.html#msg811971- Download the rules manually by logging to the shell and type this
fetch http://www.snort.org/pub-bin/oinkmaster.cgi/Oinkcode/snortrules-snapshot-2860.tar.gz
2 - Make temp directory and copy rules
mkdir /tmp/temp
cp snortrules-snapshot-2860.tar.gz /tmp/temp
3- extract the file with this command
tar -zxvf /tmp/temp/snortrules-snapshot-2860.tar.gz
4- Find interface name - it will be in a snort_#_interface format
ls /usr/local/etc/snort/
5- copy rules to rules directory
cp tmp/temp/rules/. /usr/local/etc/snort/interfacename/rules
6- Remove temp directory
rm -r /tmp/temp
7 - Restart Snort. This did it for me on a clean install.Hope this helps someone out.
I tried the copy comand and it does not work for me .Everything else worked .
thanks for the help
I ended up having to use this line instead to copy the files. Worked for me, but only an expert can tell me if I actually did it correctly. Still kinda new to all of this. ;)
cp rules/. /usr/local/etc/snort/interfacename/rules
Thanks again JamesDean for everything!! :D
-
Yeah. You did it correctly. I was just looking back at what I had posted and realized I had put the wrong thing. Sorry. It was late when I posted this.
-
James, if you're rewriting parts of the updating anyways, I'd like to +1 simby's request of adding a manual update feature (ie. http interface to upload and install a snort ruleset .tgz). If that would get everyone by in a pinch if there are similar future changes to the download procedure.
Big thanks for your work on this package!
-
Well I am glad they are releasing rules for specific versions of snort now instead of coming out with a new version of snort and breaking the rules for the old versions. That alone will solve most of the headaches when dealing with snort.
That being said good job as always JD! And for those that continue to bitch about a FREE product that kicks ass of most alternatives you have to PAY for…... Then go BUY something else!
People who can't comprend how to navigate and manipulate file systems should not be messing around with ANYONES network let alone their firewall/router. But hey that is just my opinion….
-
@cdx304:
I figured I'd post this here in case people want to update their definitions manually. I used this post but updated the instructions to the current version.
http://forum.pfsense.org/index.php/topic,15464.msg81197.html#msg811971- Download the rules manually by logging to the shell and type this
fetch http://www.snort.org/pub-bin/oinkmaster.cgi/Oinkcode/snortrules-snapshot-2860.tar.gz
2 - Make temp directory and copy rules
mkdir /tmp/temp
cp snortrules-snapshot-2860.tar.gz /tmp/temp
3- extract the file with this command
tar -zxvf /tmp/temp/snortrules-snapshot-2860.tar.gz
4- Find interface name - it will be in a snort_#_interface format
ls /usr/local/etc/snort/
5- copy rules to rules directory
cp tmp/temp/rules/. /usr/local/etc/snort/interfacename/rules
6- Remove temp directory
rm -r /tmp/temp
7 - Restart Snort. This did it for me on a clean install.Hope this helps someone out.
I tried the copy comand and it does not work for me .Everything else worked .
thanks for the help
I ended up having to use this line instead to copy the files. Worked for me, but only an expert can tell me if I actually did it correctly. Still kinda new to all of this. ;)
cp rules/. /usr/local/etc/snort/interfacename/rules
Thanks again JamesDean for everything!! :D
I tried this method and still does not work I hope this package gets fixed beause running my cisco box is getting real old !!
-
any news?
-
When I discovered last week there were some issues with updating. I was doing everything I could to get SNORT to install updates. I even deinstalled an reinstalled the packaged before I checked the fourms and found that others were having issues as well. I am noticing that SNORT is not releasing blocked IP's after 1 hour, which is what I have it set to release blocked offenders. I never had the issue before until after the uninstall and reinstall of the package. I tried the uninstall and reinstall of the package again and get the same results.
Any ideas on what this is about? Has anyone else notice this or have this issue?
Thanks,
Matt
-
Note to my last post. I am only able to run the emerging threats because I can't get an update or download of the SNORT categories or premium scription rules I pay for through VRT. I know you can manaually update, but I have not really had the time to go through the write up posted to doo it. I am just throwing this out there for what it may be worth.
Thanks,
Matt
-
any news forom James? ???
-
Hey guys,
New to this forum, new to PFSense and even new to Linux, but not a noob.
Thankfully I found this thread, I've got PFSense humming along (together with Squid and Lightsquid, BandwidthD etc) and installed Snort last night. Spent AGES trying to get the rules to auto download.
I was convinced I had stuffed something up myself!I'll keep checking this thread for a solution. Hopefully I don't need to manually go copying things from a shell as I wouldn't have a clue and am likely to bugger something up :)
Anyway, fingers crossed there will be a patch soon!
-
Noticed this problem with rules updates, is there a way to manually copy rules, If I download them to my desktop machine where I should put them under PFsense, just copy the stuff in package in /usr/local/etc/snort/rules ? or something else?
-
… is there a way to manually copy rules
…mentioned earlier in this thread.
http://bit.ly/9c29CI
-
Noticed this problem with rules updates, is there a way to manually copy rules, If I download them to my desktop machine where I should put them under PFsense, just copy the stuff in package in /usr/local/etc/snort/rules ? or something else?
Be ok if that would work for me i would not mind that .But in puddy at the last step says that directory does not exsist .Than what do you do !!!!????
-
The last step, 7, says to restart Snort, but I assume you mean something else ?
-
Can someone tell me what file contains the URL download information? I'd like to run snort but I can't get the update.
-
Can someone tell me what file contains the URL download information?
The URL to the file was mentioned earlier in this thread. Check the link in my post 4 posts up.
-
I know what the proper URL is. I am wondering what file inside my pfsense installation needs to be modified in order to automatically update the rules.
-
If you read the thread from the beginning you will know that it is not a simple matter of just changing a URL. If it was the programmer would have already fixed it. It has to do with the way the updates are coming from the cloud. For right now just sit back, relax, update manually, or just use emerging threats, and wait for the programmer to update. On the note of the how-to I will attempt to actually create one this weekend. Just been a little busy at work. Do I need screenshots too?
-
If you read the thread from the beginning you will know that it is not a simple matter of just changing a URL. If it was the programmer would have already fixed it. It has to do with the way the updates are coming from the cloud. For right now just sit back, relax, update manually, or just use emerging threats, and wait for the programmer to update. On the note of the how-to I will attempt to actually create one this weekend. Just been a little busy at work. Do I need screenshots too?
Well the screen shots would be a good idea .I just have no idea what i am doing for the manual updating not to work .I tried it over ten times and gave up and installed my standby software .