Snort rules version versus Snort version – not matching up anymore ??



  • I have the i386 version of pfSense 2.0-RC3 running on my firewall.  I initially did a fresh install of the August 30 snapshot.  The Snort package at that time reported itself in the Packages menu as 2.8.6.1.  It would start and run just fine with all my normal collection of Emerging Threats and Snort Rules categories selected.

    Beginning with the September 1 snapshot update which I allowed to install via AutoUpdate, Snort changed to version 2.9.0.5 in the Packages menu.  It also would not start.  I found that if I deselected all my Snort Rules and left just the Emerging Threats active, Snort would start.  After much trial and error trying one category at the time, I found that only a few of the Snort Rules would work.  One category that would not is Snort Exploits.  This behavior continues with the latest September 2 update.

    Digging around in /usr/local/etc/snort I see that the rules file downloaded is snortrules-snapshot-2861.tar.gz.  On the Snort site itself, I see what I think should be the correct rules file listed as snortrules-snapshot-2905.tar.gz.  Why is Snort 2.9.0.5 downloading rules that seem to be for 2.8.6.1?  I'm still new to Snort, so maybe this is correct; but it does seem a bit strange.

    By the way, when I enable any of the Snort Rule categories that don't work, I get no error in the GUI System Log.  Snort just does not start.  Anyone have a suggestion?

    Thanks,



  • Just fixed in the package.
    Thank you for the analysis and time putting on this.

    IMO its not very good coded in the code and obfuscated.
    I will log it in redmine.pfsense.org as an improvement to be made



  • Thanks Ermal for the quick turnaround.  I saw at least three places within the PHP code itself in snort_download_rules.php where the 2.8.6.x version was hard-coded.  One of them was the path to the Emerging Threats snapshot, and the other two were down in the section where the shared objects rules are unpacked.  There is a DEFINE in the top of the file that specifies the Snort rules filename.  My suggestion would be to incorporate DEFINEs at the top of the PHP file for all the version info and then simply refer to those variables within the PHP code itself.

    Bill



  • Patches accepted but for now it should be ok.



  • I removed and reinstalled the package to pick your changes.  I can't get Snort to start at all now.  It churns for a while and then just prints "…snort exiting" in the system log.

    I looked at in snort_download_rules.php and there are still some spots where the old version is hard-coded for the rules path.  The next spot I found was in the section where the fetch from Emerging Threats is done.  That explicitly pulls the 2.8.6 version instead of 2.9.0.  I'm wondering if there are other places in other modules of the code where the 2.8.6.x version is hard-coded.  I will continue looking through the PHP and INC files that I can find.

    UPDATE -- I edited all the remaining hard-coded locations in the PHP and INC files to be 2.9.0.x instead of 2.8.6.x, but still could not get Snort to start with all my normal rule categories enabled.  Through trial and error I've thus far found that any of the following categories will kill the startup if enabled.  With all of these disabled, Snort will start.

    snort_spyware_put.rules
    snort_web_activex.rules
    snort_web_client.rules



  • Hi,

    if snort_p2p.rules is enabled, snort didn´t starts, too. There are many other rules that didnt work.

    Regards,

    Valle



  • More fixes went in, reinstall again.



  • Hi,

    have reinstalled snort after your post.

    Now i get an

    
    Parse error: syntax error, unexpected '}' in /usr/local/www/snort/snort_download_rules.php on line 481 
    
    

    If i want update the rule set.

    I have deletet the '}' in line 481 and the the script work.

    Regards, Valle



  • Continue on the other thread please.


Log in to reply