PfSense and Snort VRT Subscription



  • I was successfully using a basic, free Snort oinkmaster subscription with pfsense 2.0.1-release.  However i recently purchased a snort VRT one-year subscription.  Though I noticed my oinkmaster code itself didn't change after the VRT subscription was purchased.  Is there any special that needs to be done in pfsense in order to utilize a VRT subscription or does snort recognize that a given oinkmaster code has been flagged for VRT?  Thanks.


  • Rebel Alliance Developer Netgate

    I haven't looked lately but a while back when I helped someone set this up, there was a checkbox or drop-down that specified the VRT rules. The download URL was different.

    Snort changes their URLs and download schemes so often it's hard to keep track, it may still be the same or they may auto-detect like you speculate.



  • Thanks Jimp for the response.  If there's any way you could assist, it would be much appreciated.  I believe the URL for their Sourcefire VRT rules may be different but I wasn't sure where to edit this manually in the snort.conf (or elsewhere)?  However I did notice in pf 2.0.1-release within the Snort service there's a radio button for 'basic or premium' but only a single oink code can be entered.  Am sure others would benefit from this though I'm the only one that has asked the question (old topics have since been closed).


  • Rebel Alliance Developer Netgate

    The oink code is the same - it's your URL that changes, and that radio button makes it use the premium URL instead of the basic. So that's what you need to set.



  • Jimp, in the Snort settings, there is a radio button with only two possible settings.  1.) do not install snort updates or 2.) install the basic or premium updates.  After that there is a dialog box for your oinkcode (which remains constant regardless of whether you have a basic or VRT/paid membership).  I currently have it set to option #2 and have the same oink code entered as I did for my basic membership.  It is pulling down updates, only the VRT categories aren't among them.

    In other words, there is no option to change the update URL for basic vs. VRT membership.  Unless this is hidding in a config file within 2.0.1-release?



  • Sourcefire (snort.org) takes care of everything dynamically, we dont need no special urls.

    If you have premium rules they will send you premium rules tar file, else you get basic rules tar file.

    Reference
    http://www.snort.org/snort-rules/cli

    Robert



  • Thank you Jamesdean for clarifying how the pfsense snort package handles Sourcefire VRT/premium rules subscriptions.


Log in to reply