Snort Rules Download - 1.2.3



  • I have been trying for days to get snort rules and so far no luck. When I go to Update, it says a new set of Snort rules has been posted, stays there for a split second, then moves on to Emerging Threats. Those download just fine.

    If I go to Snort.org and manually grab them it works. I even tried to 'fetch' with my oink code and it works fine too. Is something broken in the package or is snort.org just not ponying up the rules for pfsense?

    Btw, I have never had one successful update so I only have emerging threats installed. Maybe those are good enough… I am not an expert of rules and IDS so I am not sure if you need both.

    Thanks.



  • Any current info about this available yet? I checked today and still no snort.org downloads happening. I did figure out how to install the rules manually so I can work around it for now but the auto update is sure nice.

    Thanks.



  • Same here. Snort rules are not being downloaded. Did a clean install of pfsense 1.2.3

    Something is definitely wrong.

    SNORT.ORG >>>  N/A
    EMERGINGTHREATS.NET >>>  34e8f7d0ff7585cae81372ce095f8c64
    PFSENSE.ORG >>>  "e8a95fd5f1b40e878fedeffd585134bb"

    Getting really ticked off now. >:( Moved from 2.0 RC3 to 1.2.3 just for Snort. And now it's broken here too. Not sure why changes are being done without proper testings. >:(



  • @asterix:

    Same here. Snort rules are not being downloaded. Did a clean install of pfsense 1.2.3

    Something is definitely wrong.

    SNORT.ORG >>>  N/A
    EMERGINGTHREATS.NET >>>  34e8f7d0ff7585cae81372ce095f8c64
    PFSENSE.ORG >>>  "e8a95fd5f1b40e878fedeffd585134bb"

    Getting really ticked off now. >:( Moved from 2.0 RC3 to 1.2.3 just for Snort. And now it's broken here too. Not sure why changes are being done without proper testings. >:(

    have you tried to manually update? Search the forum, theres a couple of how-to's around.

    Snort is working for the most part on 2.0 i386.. Still has some little bugs but its alerting and blocking. The core pfSense dev have taken over snort for 2.0 to get it back into working order… I dont know about 1.2.3.

    Up until now, snort was not maintain by the core dev team but a single person who coded this during his spare time.

    it wouldnt hurt to put a ticket in, but make sure you state its not working on 1.2.3



  • Manual updates don't work either. I tried my options before posting. Not sure why someone tries to fix something that ain't broken.



  • I could be wrong but I dont think anything change with 1.2.3 package.. I'm always looking at changes that are made to the pfsense and to the packages. I believe snort.org may have changed their website again. This has happen a couple of times and if you can't manually update, then I'm thinking that's the case.

    I was able to download the rules using the below code… Now i don't have 1.2.3, so you will have to fine tune it for your dir and interfaces.... Also you may have to change the file-name to match the version of rules that the 1.2.3 package uses:

    
    #!/bin/sh
    cd /var/tmp
    # get the update
    fetch http://www.snort.org/pub-bin/oinkmaster.cgi/insert oink code here/snortrules-snapshot-2861.tar.gz
    # unpack the update
    tar -zxvf snortrules-snapshot-2861.tar.gz -C /usr/local/etc/snort/ rules/
    # copy the rules to each interface snort is using 
    cp /usr/local/etc/snort/rules/*.* /usr/local/etc/snort/[yourinterface2directory]/rules/
    #cp /usr/local/etc/snort/rules/*.* /usr/local/etc/snort/[yourinterface3directory]/rules/
    # repeat that for each interface You are using
    # reload snort to use the new rules
    /usr/local/etc/rc.d/snort.sh reload
    rm snortrules-snapshot-2861.tar.gz
    
    

    this site has the file names for snort 2.9 and 2.8.6

    help this helps



  • Been there.. done that :D. Doesn't work.



  • @asterix:

    Been there.. done that :D. Doesn't work.

    works on 2.0 i386



  • Maybe.. but 1.2.3 is does not.. Kinda sux.



  • I bit the bullet and upgraded to 2.0 RC3 last night. So far it is working perfectly. Every feature I used in Snort before works. The updater works properly now too.

    I just did the 2.0 upgrade and it is using whichever version of Snort it had before and it all seems to be working fine.

    So far 2.0 seems like a good route to take.



  • i386 or amd64 version? I suspect i386 as Snort is still broken on amd64



  • @compucoder:

    I bit the bullet and upgraded to 2.0 RC3 last night. So far it is working perfectly. Every feature I used in Snort before works. The updater works properly now too.

    I just did the 2.0 upgrade and it is using whichever version of Snort it had before and it all seems to be working fine.

    So far 2.0 seems like a good route to take.

    Have you looked at SNORT to see whats running, I have had an issue with SNORT not starting and refuseing to start doing it manually. I have tried reinstalling and uninstalling so far no go. I thing there is a bug with 2.0 RC3 and SNORT, also have had an issue with HAVP anti virus hanging the system. After hours of working with them, I removed both and all issues went away.


Locked