Snort - ET Rules not available for LAN interface

  • I have snort pkg v. 2.0 on pfsense 2.0 release.  I've had it working fine on my WAN interface using both the ET and snort rules.  I recently started monitoring my LAN interface and it's working fine EXCEPT that for some reason I cannot seem to get the Emerging Threats categories available under the interface options.  All the snort rules show up fine and are working correctly, however the rules I really want to use on the LAN are in the ET categories.  I've tried updating the rules, recreating the interface monitor, disabling / enabling ET downloads and I still can't get it to show up.  I am at a loss here.  I can't find any logs giving me any errors or anything.

    Anybody have any ideas to maybe help point me in the right direction?

  • I had the same issue.  In the end, I decided I didn't need Snort running on my LAN interface. But I had a lot of weirdness getting the right rules in the right places, e.g. I had the same problem on my WAN interface too, on one of my pfSense 2.0 boxes, but not it's mirror copy. For the WAN interface I found the rules were in a subdir of the rules directory also called rules.  So I just copied everything in /usr/local/etc/snort/snort_XXXXX_XXX/rules/rules to /usr/local/etc/snort/snort_XXXXX_XXX/rules/ and then removed the subdirectory.  Seemed to work for me.  YMMV.  Sounds like a bug that can happen under some circumstances…

    P.S. Another solution to this or another problem (I forget how I solved each problem as there have been several) was to remove the md5 file for e.g. emerging.rules.tar.gz.md5 or snortrules-snapshot-2905.tar.gz.md5 and then run an update.  Then it will fetch a new copy of the rules and extract it.  Again, YMMV.

    Let me know if either of these work for you.

Log in to reply