Rookie having problem with Snort
-
I'm a new user of Snort, loaded it yesterday. Using pfsense 1.2.3 and Snort 2.8.6 (pkg v 1.27). Went for the subscription/premium service on Snort. I successfully downloaded and installed Emergingthreats but could not get Snort to load rules. I read many of the posts on this forum and on Snort but probably missed finding the solution which is likely posted. Nonetheless I narrowed down what I perceived the problem to be in two php files: /usr/local/www/snort/snort_download_rules.php and /usr/local/pkg/snort/snort_check_for_rule_updates.php. It appeared (again rookie status) that the variable definitions which pointed at the Snort site had not been updated to account for the new naming convention from the end of June. It also appeared that some of the scripting, inparticular the calls to 'download_file_with_progress_bar' (defined in /usr/local/www/system_firmware_auto.php) had this same potential issue. I edited the file /usr/local/pkg/snort/snort_check_for_rule_updates.php at lines 35, 36, 214, 216, 253, 275 and 384. Also edited the file /usr/local/www/snort/snort_download_rules.php at line 42, 43, 394, 396, 433, 477 and 616. The filenames went generally from "snortrules-snapshot-2.8.tar.gz" or ".md5" to "snortrules-snapshot-2860.tar.gz" or ".md5". The calls to 'download_file_with_progress_bar' went generally to "download_file_with_progress_bar2("http://www.snort.org/pub-bin/oinkmaster.cgi/'myoinkcode typed out here'/snortrules-snapshot-2860.tar.gz", $tmpfname . "/{$snort_filename}");".
Also, when I look at "Services, Snort" the interface shows stopped, but when I look in "Status, Services" it shows Snort as running. The system.log supports what is reported in "Status, Services". Is this normal?
Just for the record I did try remove and reinstall several times before exploring the php code.
Any help or direction would be most appreciated.
Thanks,
Carl -
Auto-updating SNORT rules is not working at the moment :(
Check out http://forum.pfsense.org/index.php/topic,26382.0.html for more….
-
Thanks very much for the feedback.
Regards,
CarlPS >> And many thanks to jamesdean!