Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort rules driving me crazy

    Scheduled Pinned Locked Moved pfSense Packages
    4 Posts 2 Posters 3.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      Tha_Duck
      last edited by

      I am running a couple of PFSense firewalls with Snort but the rules download is driving me crazy.

      First of all, the versions:
      PFSense 1.2.3-RELEASE
      Snort 2.8.6.1 pkg v. 1.34

      I have enabled SNORT on all firewalls on the same way. Created an OINK code for all firewalls so that they are not interfering each other. But on all firewalls I have different behavior.

      Firewall 1:

      SNORT.ORG >>>  "4e65d3dfa6cf8f804d053d7fa0c44c2e"
      EMERGINGTHREATS.NET >>>  N/A
      PFSENSE.ORG >>>  "e8a95fd5f1b40e878fedeffd585134bb"

      Firewall 2:

      SNORT.ORG >>>  N/A
      EMERGINGTHREATS.NET >>>  N/A
      PFSENSE.ORG >>>  "e8a95fd5f1b40e878fedeffd585134bb"

      And then if you look in the categories of the interface:
      Firewall 1:

      attack-responses.rules
      backdoor.rules
      bad-traffic.rules
      blacklist.rules
      botnet-cnc.rules
      chat.rules
      content-replace.rules
      ddos.rules
      deleted.rules
      dns.rules
      dos.rules
      experimental.rules
      exploit.rules
      finger.rules
      ftp.rules
      icmp-info.rules
      icmp.rules
      imap.rules
      info.rules
      local.rules
      misc.rules
      multimedia.rules
      mysql.rules
      netbios.rules
      nntp.rules
      oracle.rules
      other-ids.rules
      p2p.rules
      pfsense-voip.rules
      phishing-spam.rules
      policy.rules
      pop2.rules
      pop3.rules
      rpc.rules
      rservices.rules
      scada.rules
      scan.rules
      shellcode.rules
      smtp.rules
      snmp.rules
      snort_bad-traffic.so.rules
      snort_chat.so.rules
      snort_dos.so.rules
      snort_exploit.so.rules
      snort_icmp.so.rules
      snort_imap.so.rules
      snort_misc.so.rules
      snort_multimedia.so.rules
      snort_netbios.so.rules
      snort_nntp.so.rules
      snort_p2p.so.rules
      snort_smtp.so.rules
      snort_sql.so.rules
      snort_web-activex.so.rules
      snort_web-client.so.rules
      snort_web-iis.so.rules
      snort_web-misc.so.rules
      specific-threats.rules
      spyware-put.rules
      sql.rules
      telnet.rules
      tftp.rules
      virus.rules
      voip.rules
      web-activex.rules
      web-attacks.rules
      web-cgi.rules
      web-client.rules
      web-coldfusion.rules
      web-frontpage.rules
      web-iis.rules
      web-misc.rules
      web-php.rules
      x11.rules

      Firewall 2:

      pfsense-voip.rules
      snort_attack-responses.rules
      snort_backdoor.rules
      snort_bad-traffic.rules
      snort_bad-traffic.so.rules
      snort_blacklist.rules
      snort_botnet-cnc.rules
      snort_chat.rules
      snort_chat.so.rules
      snort_content-replace.rules
      snort_ddos.rules
      snort_deleted.rules
      snort_dns.rules
      snort_dos.rules
      snort_dos.so.rules
      snort_experimental.rules
      snort_exploit.rules
      snort_exploit.so.rules
      snort_finger.rules
      snort_ftp.rules
      snort_icmp-info.rules
      snort_icmp.rules
      snort_icmp.so.rules
      snort_imap.rules
      snort_imap.so.rules
      snort_info.rules
      snort_local.rules
      snort_misc.rules
      snort_misc.so.rules
      snort_multimedia.rules
      snort_multimedia.so.rules
      snort_mysql.rules
      snort_netbios.rules
      snort_netbios.so.rules
      snort_nntp.rules
      snort_nntp.so.rules
      snort_oracle.rules
      snort_other-ids.rules
      snort_p2p.rules
      snort_p2p.so.rules
      snort_phishing-spam.rules
      snort_policy.rules
      snort_pop2.rules
      snort_pop3.rules
      snort_rpc.rules
      snort_rservices.rules
      snort_scada.rules
      snort_scan.rules
      snort_shellcode.rules
      snort_smtp.rules
      snort_smtp.so.rules
      snort_snmp.rules
      snort_specific-threats.rules
      snort_spyware-put.rules
      snort_sql.rules
      snort_sql.so.rules
      snort_telnet.rules
      snort_tftp.rules
      snort_virus.rules
      snort_voip.rules
      snort_web-activex.rules
      snort_web-activex.so.rules
      snort_web-attacks.rules
      snort_web-cgi.rules
      snort_web-client.rules
      snort_web-client.so.rules
      snort_web-coldfusion.rules
      snort_web-frontpage.rules
      snort_web-iis.rules
      snort_web-iis.so.rules
      snort_web-misc.rules
      snort_web-misc.so.rules
      snort_web-php.rules
      snort_x11.rules

      How is this possible? Why is it not the same everywhere? It is impossible to do some system administration work if the differences are so big.

      1 Reply Last reply Reply Quote 0
      • T
        Tha_Duck
        last edited by

        Nobody knows how this can happen (and fixed)?

        1 Reply Last reply Reply Quote 0
        • M
          mentalhemroids
          last edited by

          Are you using the free oinkcodes and if so how many do you have?  I know from past experience you can't have the same oinkcode on both machines and your machines can't go get updates at the same time using free codes; you'll have to space out the the updates between the two.  I believe it's something like 15mins or so for reset access.  I'm not using it right now, so I can't tell you for sure.  I am guessing that the one got updates and that could have thrown off the list some (one list is more up-to-date than the other), but like I said I'm not using it right now, so I can't say from my recent experience.

          Hope this helps.

          1 Reply Last reply Reply Quote 0
          • T
            Tha_Duck
            last edited by

            Yes we are using the free codes. But I found out in the past that it did not work for more then 1 firewall because of the limitations. So last week I have created codes for all firewalls, that cannot be the problem anymore.

            But thanks for the help, I appreciate it!

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.