Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort rules version versus Snort version – not matching up anymore ??

    Scheduled Pinned Locked Moved pfSense Packages
    9 Posts 3 Posters 3.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • bmeeksB
      bmeeks
      last edited by

      I have the i386 version of pfSense 2.0-RC3 running on my firewall.  I initially did a fresh install of the August 30 snapshot.  The Snort package at that time reported itself in the Packages menu as 2.8.6.1.  It would start and run just fine with all my normal collection of Emerging Threats and Snort Rules categories selected.

      Beginning with the September 1 snapshot update which I allowed to install via AutoUpdate, Snort changed to version 2.9.0.5 in the Packages menu.  It also would not start.  I found that if I deselected all my Snort Rules and left just the Emerging Threats active, Snort would start.  After much trial and error trying one category at the time, I found that only a few of the Snort Rules would work.  One category that would not is Snort Exploits.  This behavior continues with the latest September 2 update.

      Digging around in /usr/local/etc/snort I see that the rules file downloaded is snortrules-snapshot-2861.tar.gz.  On the Snort site itself, I see what I think should be the correct rules file listed as snortrules-snapshot-2905.tar.gz.  Why is Snort 2.9.0.5 downloading rules that seem to be for 2.8.6.1?  I'm still new to Snort, so maybe this is correct; but it does seem a bit strange.

      By the way, when I enable any of the Snort Rule categories that don't work, I get no error in the GUI System Log.  Snort just does not start.  Anyone have a suggestion?

      Thanks,

      1 Reply Last reply Reply Quote 0
      • E
        eri--
        last edited by

        Just fixed in the package.
        Thank you for the analysis and time putting on this.

        IMO its not very good coded in the code and obfuscated.
        I will log it in redmine.pfsense.org as an improvement to be made

        1 Reply Last reply Reply Quote 0
        • bmeeksB
          bmeeks
          last edited by

          Thanks Ermal for the quick turnaround.  I saw at least three places within the PHP code itself in snort_download_rules.php where the 2.8.6.x version was hard-coded.  One of them was the path to the Emerging Threats snapshot, and the other two were down in the section where the shared objects rules are unpacked.  There is a DEFINE in the top of the file that specifies the Snort rules filename.  My suggestion would be to incorporate DEFINEs at the top of the PHP file for all the version info and then simply refer to those variables within the PHP code itself.

          Bill

          1 Reply Last reply Reply Quote 0
          • E
            eri--
            last edited by

            Patches accepted but for now it should be ok.

            1 Reply Last reply Reply Quote 0
            • bmeeksB
              bmeeks
              last edited by

              I removed and reinstalled the package to pick your changes.  I can't get Snort to start at all now.  It churns for a while and then just prints "…snort exiting" in the system log.

              I looked at in snort_download_rules.php and there are still some spots where the old version is hard-coded for the rules path.  The next spot I found was in the section where the fetch from Emerging Threats is done.  That explicitly pulls the 2.8.6 version instead of 2.9.0.  I'm wondering if there are other places in other modules of the code where the 2.8.6.x version is hard-coded.  I will continue looking through the PHP and INC files that I can find.

              UPDATE -- I edited all the remaining hard-coded locations in the PHP and INC files to be 2.9.0.x instead of 2.8.6.x, but still could not get Snort to start with all my normal rule categories enabled.  Through trial and error I've thus far found that any of the following categories will kill the startup if enabled.  With all of these disabled, Snort will start.

              snort_spyware_put.rules
              snort_web_activex.rules
              snort_web_client.rules

              1 Reply Last reply Reply Quote 0
              • V
                valshare
                last edited by

                Hi,

                if snort_p2p.rules is enabled, snort didn´t starts, too. There are many other rules that didnt work.

                Regards,

                Valle

                1 Reply Last reply Reply Quote 0
                • E
                  eri--
                  last edited by

                  More fixes went in, reinstall again.

                  1 Reply Last reply Reply Quote 0
                  • V
                    valshare
                    last edited by

                    Hi,

                    have reinstalled snort after your post.

                    Now i get an

                    
                    Parse error: syntax error, unexpected '}' in /usr/local/www/snort/snort_download_rules.php on line 481 
                    
                    

                    If i want update the rule set.

                    I have deletet the '}' in line 481 and the the script work.

                    Regards, Valle

                    1 Reply Last reply Reply Quote 0
                    • E
                      eri--
                      last edited by

                      Continue on the other thread please.

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.