Snort rules driving me crazy



  • I am running a couple of PFSense firewalls with Snort but the rules download is driving me crazy.

    First of all, the versions:
    PFSense 1.2.3-RELEASE
    Snort 2.8.6.1 pkg v. 1.34

    I have enabled SNORT on all firewalls on the same way. Created an OINK code for all firewalls so that they are not interfering each other. But on all firewalls I have different behavior.

    Firewall 1:

    SNORT.ORG >>>  "4e65d3dfa6cf8f804d053d7fa0c44c2e"
    EMERGINGTHREATS.NET >>>  N/A
    PFSENSE.ORG >>>  "e8a95fd5f1b40e878fedeffd585134bb"

    Firewall 2:

    SNORT.ORG >>>  N/A
    EMERGINGTHREATS.NET >>>  N/A
    PFSENSE.ORG >>>  "e8a95fd5f1b40e878fedeffd585134bb"

    And then if you look in the categories of the interface:
    Firewall 1:

    attack-responses.rules
    backdoor.rules
    bad-traffic.rules
    blacklist.rules
    botnet-cnc.rules
    chat.rules
    content-replace.rules
    ddos.rules
    deleted.rules
    dns.rules
    dos.rules
    experimental.rules
    exploit.rules
    finger.rules
    ftp.rules
    icmp-info.rules
    icmp.rules
    imap.rules
    info.rules
    local.rules
    misc.rules
    multimedia.rules
    mysql.rules
    netbios.rules
    nntp.rules
    oracle.rules
    other-ids.rules
    p2p.rules
    pfsense-voip.rules
    phishing-spam.rules
    policy.rules
    pop2.rules
    pop3.rules
    rpc.rules
    rservices.rules
    scada.rules
    scan.rules
    shellcode.rules
    smtp.rules
    snmp.rules
    snort_bad-traffic.so.rules
    snort_chat.so.rules
    snort_dos.so.rules
    snort_exploit.so.rules
    snort_icmp.so.rules
    snort_imap.so.rules
    snort_misc.so.rules
    snort_multimedia.so.rules
    snort_netbios.so.rules
    snort_nntp.so.rules
    snort_p2p.so.rules
    snort_smtp.so.rules
    snort_sql.so.rules
    snort_web-activex.so.rules
    snort_web-client.so.rules
    snort_web-iis.so.rules
    snort_web-misc.so.rules
    specific-threats.rules
    spyware-put.rules
    sql.rules
    telnet.rules
    tftp.rules
    virus.rules
    voip.rules
    web-activex.rules
    web-attacks.rules
    web-cgi.rules
    web-client.rules
    web-coldfusion.rules
    web-frontpage.rules
    web-iis.rules
    web-misc.rules
    web-php.rules
    x11.rules

    Firewall 2:

    pfsense-voip.rules
    snort_attack-responses.rules
    snort_backdoor.rules
    snort_bad-traffic.rules
    snort_bad-traffic.so.rules
    snort_blacklist.rules
    snort_botnet-cnc.rules
    snort_chat.rules
    snort_chat.so.rules
    snort_content-replace.rules
    snort_ddos.rules
    snort_deleted.rules
    snort_dns.rules
    snort_dos.rules
    snort_dos.so.rules
    snort_experimental.rules
    snort_exploit.rules
    snort_exploit.so.rules
    snort_finger.rules
    snort_ftp.rules
    snort_icmp-info.rules
    snort_icmp.rules
    snort_icmp.so.rules
    snort_imap.rules
    snort_imap.so.rules
    snort_info.rules
    snort_local.rules
    snort_misc.rules
    snort_misc.so.rules
    snort_multimedia.rules
    snort_multimedia.so.rules
    snort_mysql.rules
    snort_netbios.rules
    snort_netbios.so.rules
    snort_nntp.rules
    snort_nntp.so.rules
    snort_oracle.rules
    snort_other-ids.rules
    snort_p2p.rules
    snort_p2p.so.rules
    snort_phishing-spam.rules
    snort_policy.rules
    snort_pop2.rules
    snort_pop3.rules
    snort_rpc.rules
    snort_rservices.rules
    snort_scada.rules
    snort_scan.rules
    snort_shellcode.rules
    snort_smtp.rules
    snort_smtp.so.rules
    snort_snmp.rules
    snort_specific-threats.rules
    snort_spyware-put.rules
    snort_sql.rules
    snort_sql.so.rules
    snort_telnet.rules
    snort_tftp.rules
    snort_virus.rules
    snort_voip.rules
    snort_web-activex.rules
    snort_web-activex.so.rules
    snort_web-attacks.rules
    snort_web-cgi.rules
    snort_web-client.rules
    snort_web-client.so.rules
    snort_web-coldfusion.rules
    snort_web-frontpage.rules
    snort_web-iis.rules
    snort_web-iis.so.rules
    snort_web-misc.rules
    snort_web-misc.so.rules
    snort_web-php.rules
    snort_x11.rules

    How is this possible? Why is it not the same everywhere? It is impossible to do some system administration work if the differences are so big.



  • Nobody knows how this can happen (and fixed)?



  • Are you using the free oinkcodes and if so how many do you have?  I know from past experience you can't have the same oinkcode on both machines and your machines can't go get updates at the same time using free codes; you'll have to space out the the updates between the two.  I believe it's something like 15mins or so for reset access.  I'm not using it right now, so I can't tell you for sure.  I am guessing that the one got updates and that could have thrown off the list some (one list is more up-to-date than the other), but like I said I'm not using it right now, so I can't say from my recent experience.

    Hope this helps.



  • Yes we are using the free codes. But I found out in the past that it did not work for more then 1 firewall because of the limitations. So last week I have created codes for all firewalls, that cannot be the problem anymore.

    But thanks for the help, I appreciate it!


Locked