Snort rules driving me crazy
-
I am running a couple of PFSense firewalls with Snort but the rules download is driving me crazy.
First of all, the versions:
PFSense 1.2.3-RELEASE
Snort 2.8.6.1 pkg v. 1.34I have enabled SNORT on all firewalls on the same way. Created an OINK code for all firewalls so that they are not interfering each other. But on all firewalls I have different behavior.
Firewall 1:
SNORT.ORG >>> "4e65d3dfa6cf8f804d053d7fa0c44c2e"
EMERGINGTHREATS.NET >>> N/A
PFSENSE.ORG >>> "e8a95fd5f1b40e878fedeffd585134bb"Firewall 2:
SNORT.ORG >>> N/A
EMERGINGTHREATS.NET >>> N/A
PFSENSE.ORG >>> "e8a95fd5f1b40e878fedeffd585134bb"And then if you look in the categories of the interface:
Firewall 1:attack-responses.rules
backdoor.rules
bad-traffic.rules
blacklist.rules
botnet-cnc.rules
chat.rules
content-replace.rules
ddos.rules
deleted.rules
dns.rules
dos.rules
experimental.rules
exploit.rules
finger.rules
ftp.rules
icmp-info.rules
icmp.rules
imap.rules
info.rules
local.rules
misc.rules
multimedia.rules
mysql.rules
netbios.rules
nntp.rules
oracle.rules
other-ids.rules
p2p.rules
pfsense-voip.rules
phishing-spam.rules
policy.rules
pop2.rules
pop3.rules
rpc.rules
rservices.rules
scada.rules
scan.rules
shellcode.rules
smtp.rules
snmp.rules
snort_bad-traffic.so.rules
snort_chat.so.rules
snort_dos.so.rules
snort_exploit.so.rules
snort_icmp.so.rules
snort_imap.so.rules
snort_misc.so.rules
snort_multimedia.so.rules
snort_netbios.so.rules
snort_nntp.so.rules
snort_p2p.so.rules
snort_smtp.so.rules
snort_sql.so.rules
snort_web-activex.so.rules
snort_web-client.so.rules
snort_web-iis.so.rules
snort_web-misc.so.rules
specific-threats.rules
spyware-put.rules
sql.rules
telnet.rules
tftp.rules
virus.rules
voip.rules
web-activex.rules
web-attacks.rules
web-cgi.rules
web-client.rules
web-coldfusion.rules
web-frontpage.rules
web-iis.rules
web-misc.rules
web-php.rules
x11.rulesFirewall 2:
pfsense-voip.rules
snort_attack-responses.rules
snort_backdoor.rules
snort_bad-traffic.rules
snort_bad-traffic.so.rules
snort_blacklist.rules
snort_botnet-cnc.rules
snort_chat.rules
snort_chat.so.rules
snort_content-replace.rules
snort_ddos.rules
snort_deleted.rules
snort_dns.rules
snort_dos.rules
snort_dos.so.rules
snort_experimental.rules
snort_exploit.rules
snort_exploit.so.rules
snort_finger.rules
snort_ftp.rules
snort_icmp-info.rules
snort_icmp.rules
snort_icmp.so.rules
snort_imap.rules
snort_imap.so.rules
snort_info.rules
snort_local.rules
snort_misc.rules
snort_misc.so.rules
snort_multimedia.rules
snort_multimedia.so.rules
snort_mysql.rules
snort_netbios.rules
snort_netbios.so.rules
snort_nntp.rules
snort_nntp.so.rules
snort_oracle.rules
snort_other-ids.rules
snort_p2p.rules
snort_p2p.so.rules
snort_phishing-spam.rules
snort_policy.rules
snort_pop2.rules
snort_pop3.rules
snort_rpc.rules
snort_rservices.rules
snort_scada.rules
snort_scan.rules
snort_shellcode.rules
snort_smtp.rules
snort_smtp.so.rules
snort_snmp.rules
snort_specific-threats.rules
snort_spyware-put.rules
snort_sql.rules
snort_sql.so.rules
snort_telnet.rules
snort_tftp.rules
snort_virus.rules
snort_voip.rules
snort_web-activex.rules
snort_web-activex.so.rules
snort_web-attacks.rules
snort_web-cgi.rules
snort_web-client.rules
snort_web-client.so.rules
snort_web-coldfusion.rules
snort_web-frontpage.rules
snort_web-iis.rules
snort_web-iis.so.rules
snort_web-misc.rules
snort_web-misc.so.rules
snort_web-php.rules
snort_x11.rulesHow is this possible? Why is it not the same everywhere? It is impossible to do some system administration work if the differences are so big.
-
Nobody knows how this can happen (and fixed)?
-
Are you using the free oinkcodes and if so how many do you have? I know from past experience you can't have the same oinkcode on both machines and your machines can't go get updates at the same time using free codes; you'll have to space out the the updates between the two. I believe it's something like 15mins or so for reset access. I'm not using it right now, so I can't tell you for sure. I am guessing that the one got updates and that could have thrown off the list some (one list is more up-to-date than the other), but like I said I'm not using it right now, so I can't say from my recent experience.
Hope this helps.
-
Yes we are using the free codes. But I found out in the past that it did not work for more then 1 firewall because of the limitations. So last week I have created codes for all firewalls, that cannot be the problem anymore.
But thanks for the help, I appreciate it!