Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Rookie having problem with Snort

    pfSense Packages
    2
    3
    1422
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • C
      clangren last edited by

      I'm a new user of Snort, loaded it yesterday. Using pfsense 1.2.3 and Snort 2.8.6 (pkg v 1.27). Went for the subscription/premium service on Snort. I successfully downloaded and installed Emergingthreats but could not get Snort to load rules. I read many of the posts on this forum and on Snort but probably missed finding the solution which is likely posted. Nonetheless I narrowed down what I perceived the problem to be in two php files: /usr/local/www/snort/snort_download_rules.php and /usr/local/pkg/snort/snort_check_for_rule_updates.php. It appeared (again rookie status) that the variable definitions which pointed at the Snort site had not been updated to account for the new naming convention from the end of June. It also appeared that some of the scripting, inparticular the calls to 'download_file_with_progress_bar' (defined in /usr/local/www/system_firmware_auto.php) had this same potential issue. I edited the file /usr/local/pkg/snort/snort_check_for_rule_updates.php at lines 35, 36, 214, 216, 253, 275 and 384. Also edited the file /usr/local/www/snort/snort_download_rules.php at line 42, 43, 394, 396, 433, 477 and 616. The filenames went generally from "snortrules-snapshot-2.8.tar.gz" or ".md5" to "snortrules-snapshot-2860.tar.gz" or ".md5". The calls to 'download_file_with_progress_bar' went generally to "download_file_with_progress_bar2("http://www.snort.org/pub-bin/oinkmaster.cgi/'myoinkcode typed out here'/snortrules-snapshot-2860.tar.gz", $tmpfname . "/{$snort_filename}");".

      Also, when I look at "Services, Snort" the interface shows stopped, but when I look in "Status, Services" it shows Snort as running. The system.log supports what is reported in "Status, Services". Is this normal?

      Just for the record I did try remove and reinstall several times before exploring the php code.

      Any help or direction would be most appreciated.

      Thanks,
      Carl

      1 Reply Last reply Reply Quote 0
      • D
        DigitalJer last edited by

        Auto-updating SNORT rules is not working at the moment :(

        Check out http://forum.pfsense.org/index.php/topic,26382.0.html for more….

        –------------------------------------------------
        2.4.3-RELEASE (amd64)
        built on Mon Mar 26 18:02:04 CDT 2018
        FreeBSD 11.1-RELEASE-p7
        VM in ESXi 5.5
        1 x 1000baseTX (WAN)
        1 x 1000baseTX (LAN)

        1 Reply Last reply Reply Quote 0
        • C
          clangren last edited by

          Thanks very much for the feedback.
          Regards,
          Carl

          PS >> And many thanks to jamesdean!

          1 Reply Last reply Reply Quote 0
          • First post
            Last post