Snort - ET Rules not available for LAN interface
-
I have snort 2.9.0.5 pkg v. 2.0 on pfsense 2.0 release. I've had it working fine on my WAN interface using both the ET and snort rules. I recently started monitoring my LAN interface and it's working fine EXCEPT that for some reason I cannot seem to get the Emerging Threats categories available under the interface options. All the snort rules show up fine and are working correctly, however the rules I really want to use on the LAN are in the ET categories. I've tried updating the rules, recreating the interface monitor, disabling / enabling ET downloads and I still can't get it to show up. I am at a loss here. I can't find any logs giving me any errors or anything.
Anybody have any ideas to maybe help point me in the right direction?
-
I had the same issue. In the end, I decided I didn't need Snort running on my LAN interface. But I had a lot of weirdness getting the right rules in the right places, e.g. I had the same problem on my WAN interface too, on one of my pfSense 2.0 boxes, but not it's mirror copy. For the WAN interface I found the rules were in a subdir of the rules directory also called rules. So I just copied everything in /usr/local/etc/snort/snort_XXXXX_XXX/rules/rules to /usr/local/etc/snort/snort_XXXXX_XXX/rules/ and then removed the subdirectory. Seemed to work for me. YMMV. Sounds like a bug that can happen under some circumstances…
P.S. Another solution to this or another problem (I forget how I solved each problem as there have been several) was to remove the md5 file for e.g. emerging.rules.tar.gz.md5 or snortrules-snapshot-2905.tar.gz.md5 and then run an update. Then it will fetch a new copy of the rules and extract it. Again, YMMV.
Let me know if either of these work for you.