Not Sure If Snort is Updating Rules?



  • Hi all,

    I'm using Snort 2.9.2.3 pkg v. 2.5.1 on i386 2.0.1 full install and I'm thinking that my snort rules are not updating.

    I'm noticing the md5 hash in Snort, Services does not seem to change unless I manually update. (hash seems not to have changed for at least 1 week from my manual checking)

    At present from approx 8 hours ago my MD5 = 96bb8a91e84c198cc3255369f33bebde

    I've set snort to auto update every 12 hours and seems to run at 12:00 and 00:00

    If the auto update runs all I find in the system logs is:

    Aug 31 12:04:11 php: : Snort rules are up to date…

    If I run the update manually the system logs fills up as normal:

    Aug 31 03:32:43 snort[62750]: 
    Aug 31 03:32:43 snort[62750]: 
    Aug 31 03:32:43 snort[62750]: –== Reload Complete ==--
    Aug 31 03:32:43 snort[62750]: –== Reload Complete ==--
    Aug 31 03:32:43 snort[62750]: 
    Aug 31 03:32:43 snort[62750]: 
    Aug 31 03:32:42 snort[62750]: [ Number of null byte prefixed patterns trimmed: 36 ]
    Aug 31 03:32:42 snort[62750]: [ Number of null byte prefixed patterns trimmed: 36 ]
    Aug 31 03:32:42 snort[62750]: +–-----------------------------------------------
    Aug 31 03:32:42 snort[62750]: +–-----------------------------------------------
    Aug 31 03:32:42 snort[62750]: | Transitions : 1.06M

    etc etc

    I do have pfblocker installed as well but that is not showing anything being blocked at the snort update times.

    Can anyone shed some light as to if my snort is auto updating or not or what?

    Thanks for any input.

    Regards.



  • Yes, something is wrong with that on my system too.
    I am not sure if it is just the MD5 Hash that does not get updated in the GUI. Manual update works.

    Greets, Judex



  • Hi again,

    Well aftre last nights midnight update my logs are showing:

    Sep 1 00:03:48 php: : Snort rules are up to date…

    and the MD5 hash = 96bb8a91e84c198cc3255369f33bebde"

    Have just run a manual update now the MD5 hash has changed to : !1bb7cbab0409c8eeb83e2e2b8414edda! and also the system logs are showing the normal output after an upgrade.

    Still cannot figure out why auto update is not fully working or not.  I've not made any changes or installed other packages since my snort install.

    Cheers



  • Just check the dates of the files at:
    /usr/local/etc/snort/signatures



  • Over the Labor Day weekend, the rules did not change for a few days on Snort.org.  So that is why the Snort rules did not update.

    However, I am seeing another random problem with Snort rules updates only from the cron job.  I have a Snort subscription and have the rules updating every 12 hours.  Anytime I manually run the update, it works fine.  However, I have noticed that the 12-hour cron jobs never update the Snort rules.  They will update the Emerging Threats rules.  The Snort rules print out the "…you may check for updates every 15 minutes..." message to the logs.

    Doing some experimentation, I've found that the cron job process is unable to reliably read the Oinkmaster code from the config file.  I added some code to print the "oinkid" variable from the rules update code to the log file, and it will be blank when run from the cron job.  That is why the Snort update fails (the blank Oinkmaster code results in an improperly constructed URL).  When run manually from within the GUI, the Oinkmaster code is always read correctly (and of course the Snort rules updates succeed when run from the GUI).

    I'm not a PHP guru, but I wonder if this is because the cron job is running without the entire "context" of the GUI application.  Could it be missing something when trying to do the config file read to get the Oinkmaster code?



  • Hi all,

    Apologies for going quiet, was unexpectedly away for time.

    Well to be honest now I think the update behaviour (well at least for my install) is correct.

    I checked out the snort.org page which lists the updates available and the MD5 hash for them.  I assumed that updates were released every day but it seems if you are using the free oink code it can be every 1, 2, 3 or more days before an update is released.

    Hence snort reporting it is up to date over a few days period and I could seee that after snort.org updated for the free oink users my snort installation updated accordingly.

    bmeeks….wish I could help you with your issue but I'm a caveman when it comes digging into freebsd to the extent you have.

    Thx



  • True that the "free" or "registered user" rules are updated much less frequently than the "paid" or "subcriber" rules are.  The subscription rules are generally updated daily except across weekends.

    I can definitely report the behavior with the cron job rules update is consistent if you logout of the GUI and wait for the job to run.  Apparently the various values from the config.xml file are normally stored in an array variable called "$config" within the GUI.  The cron job now uses the same PHP page to perform its rule updates as the GUI manual method does, and the values are supposed to be available within that "$config" array variable (it's a global array, apparently).  Looks to me that once you log out of the GUI and any cached info expires, the cron job is then left with no values in the "$config" array.  One of those missing values is the Oinkmaster Code to use for the rule download.  With that parameter missing, the rules download does not happen.

    It seems that if you change the time the cron job is to run, and you hold an active web session open during the scheduled cron run, then everything works fine.  My guess is this happens because the "$config" array is still populated with an active GUI session.

    This will probably need Ermal to take a look and see if it can be fixed.


Log in to reply