3. Snort rules driving me crazy

Snort rules driving me crazy

  • T

    I am running a couple of PFSense firewalls with Snort but the rules download is driving me crazy.

    First of all, the versions:
    PFSense 1.2.3-RELEASE
    Snort 2.8.6.1 pkg v. 1.34

    I have enabled SNORT on all firewalls on the same way. Created an OINK code for all firewalls so that they are not interfering each other. But on all firewalls I have different behavior.

    Firewall 1:

    SNORT.ORG >>>  "4e65d3dfa6cf8f804d053d7fa0c44c2e"
    EMERGINGTHREATS.NET >>>  N/A
    PFSENSE.ORG >>>  "e8a95fd5f1b40e878fedeffd585134bb"

    Firewall 2:

    SNORT.ORG >>>  N/A
    EMERGINGTHREATS.NET >>>  N/A
    PFSENSE.ORG >>>  "e8a95fd5f1b40e878fedeffd585134bb"

    And then if you look in the categories of the interface:
    Firewall 1:

    attack-responses.rules
    backdoor.rules
    bad-traffic.rules
    blacklist.rules
    botnet-cnc.rules
    chat.rules
    content-replace.rules
    ddos.rules
    deleted.rules
    dns.rules
    dos.rules
    experimental.rules
    exploit.rules
    finger.rules
    ftp.rules
    icmp-info.rules
    icmp.rules
    imap.rules
    info.rules
    local.rules
    misc.rules
    multimedia.rules
    mysql.rules
    netbios.rules
    nntp.rules
    oracle.rules
    other-ids.rules
    p2p.rules
    pfsense-voip.rules
    phishing-spam.rules
    policy.rules
    pop2.rules
    pop3.rules
    rpc.rules
    rservices.rules
    scada.rules
    scan.rules
    shellcode.rules
    smtp.rules
    snmp.rules
    snort_bad-traffic.so.rules
    snort_chat.so.rules
    snort_dos.so.rules
    snort_exploit.so.rules
    snort_icmp.so.rules
    snort_imap.so.rules
    snort_misc.so.rules
    snort_multimedia.so.rules
    snort_netbios.so.rules
    snort_nntp.so.rules
    snort_p2p.so.rules
    snort_smtp.so.rules
    snort_sql.so.rules
    snort_web-activex.so.rules
    snort_web-client.so.rules
    snort_web-iis.so.rules
    snort_web-misc.so.rules
    specific-threats.rules
    spyware-put.rules
    sql.rules
    telnet.rules
    tftp.rules
    virus.rules
    voip.rules
    web-activex.rules
    web-attacks.rules
    web-cgi.rules
    web-client.rules
    web-coldfusion.rules
    web-frontpage.rules
    web-iis.rules
    web-misc.rules
    web-php.rules
    x11.rules

    Firewall 2:

    pfsense-voip.rules
    snort_attack-responses.rules
    snort_backdoor.rules
    snort_bad-traffic.rules
    snort_bad-traffic.so.rules
    snort_blacklist.rules
    snort_botnet-cnc.rules
    snort_chat.rules
    snort_chat.so.rules
    snort_content-replace.rules
    snort_ddos.rules
    snort_deleted.rules
    snort_dns.rules
    snort_dos.rules
    snort_dos.so.rules
    snort_experimental.rules
    snort_exploit.rules
    snort_exploit.so.rules
    snort_finger.rules
    snort_ftp.rules
    snort_icmp-info.rules
    snort_icmp.rules
    snort_icmp.so.rules
    snort_imap.rules
    snort_imap.so.rules
    snort_info.rules
    snort_local.rules
    snort_misc.rules
    snort_misc.so.rules
    snort_multimedia.rules
    snort_multimedia.so.rules
    snort_mysql.rules
    snort_netbios.rules
    snort_netbios.so.rules
    snort_nntp.rules
    snort_nntp.so.rules
    snort_oracle.rules
    snort_other-ids.rules
    snort_p2p.rules
    snort_p2p.so.rules
    snort_phishing-spam.rules
    snort_policy.rules
    snort_pop2.rules
    snort_pop3.rules
    snort_rpc.rules
    snort_rservices.rules
    snort_scada.rules
    snort_scan.rules
    snort_shellcode.rules
    snort_smtp.rules
    snort_smtp.so.rules
    snort_snmp.rules
    snort_specific-threats.rules
    snort_spyware-put.rules
    snort_sql.rules
    snort_sql.so.rules
    snort_telnet.rules
    snort_tftp.rules
    snort_virus.rules
    snort_voip.rules
    snort_web-activex.rules
    snort_web-activex.so.rules
    snort_web-attacks.rules
    snort_web-cgi.rules
    snort_web-client.rules
    snort_web-client.so.rules
    snort_web-coldfusion.rules
    snort_web-frontpage.rules
    snort_web-iis.rules
    snort_web-iis.so.rules
    snort_web-misc.rules
    snort_web-misc.so.rules
    snort_web-php.rules
    snort_x11.rules

    How is this possible? Why is it not the same everywhere? It is impossible to do some system administration work if the differences are so big.

    0
  • T

    Nobody knows how this can happen (and fixed)?

    0
  • M

    Are you using the free oinkcodes and if so how many do you have?  I know from past experience you can't have the same oinkcode on both machines and your machines can't go get updates at the same time using free codes; you'll have to space out the the updates between the two.  I believe it's something like 15mins or so for reset access.  I'm not using it right now, so I can't tell you for sure.  I am guessing that the one got updates and that could have thrown off the list some (one list is more up-to-date than the other), but like I said I'm not using it right now, so I can't say from my recent experience.

    Hope this helps.

    0
  • T

    Yes we are using the free codes. But I found out in the past that it did not work for more then 1 firewall because of the limitations. So last week I have created codes for all firewalls, that cannot be the problem anymore.

    But thanks for the help, I appreciate it!

    0
Locked
 

Products

Applications

Support

Services

News

Resources

Company

Our Mission

As host of the pfSense open source firewall project, Netgate believes in enhancing network connectivity that maintains both security and privacy. We also believe everyone should be able to afford it.

Subscribe to our Newsletter

Product information, software announcements, and special offers. See our newsletter archive for past announcements.

© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy