Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    SNORT will not update rules from SNORT.ORG but does update emerging threats

    Scheduled Pinned Locked Moved pfSense Packages
    6 Posts 3 Posters 1.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      MHzTweaker
      last edited by

      First of all I am not a Unix person and have no knowledge of it's workings.
      I have installed the latest version of pfSense with the snort and squid3 packages

      I finally managed to get the emerging threats rules to update after a LOT of trial and error.

      I got the oinkcode from snort and placed it at the end of the file name with the full path to the proper version of the file at snort.org

      Still the registered user updates do not work

      Any ideas?

      1 Reply Last reply Reply Quote 0
      • T
        Topper727
        last edited by

        Here is my setup.  I believe maybe you don't have setting right.   Look at mine and see if you get yours to work.

        Install Snort.org rules

        • Do NOT Install

        • Install Basic Rules or Premium rules  (use this option)

        This is part that I think you might missed.  See image to verify

        ![Snap 2013-04-09 at 16.41.41.png_thumb](/public/imported_attachments/1/Snap 2013-04-09 at 16.41.41.png_thumb)
        ![Snap 2013-04-09 at 16.41.41.png](/public/imported_attachments/1/Snap 2013-04-09 at 16.41.41.png)

        Dell 2950 g3 server
        Intel(R) Xeon(R) CPU E5430 @ 2.66GHz
        Current: 2000 MHz, Max: 2667 MHz
        8 CPUs: 2 package(s) x 4 core(s)
        8152 MiB and 600meg 10k drive
        Pfsense 2.4 .. Hoping to get the phpvirtualbox going again.

        1 Reply Last reply Reply Quote 0
        • bmeeksB
          bmeeks
          last edited by

          Topper727 is correct.  Just put your actual Oinkcode itself in the text box.  No URL and no filename.  Snort has all of that "under the cover" within the software itself on pfSense.  Your Oinkcode is auto-magically evaluated by the Snort.org website and grants you access to the rules.

          I've been working on a Quick Setup How-To guide for Snort on pfSense updated to show the new screens and features.  Not finished with it yet.

          Bill

          1 Reply Last reply Reply Quote 0
          • M
            MHzTweaker
            last edited by

            @Topper727:

            Here is my setup.  I believe maybe you don't have setting right.   Look at mine and see if you get yours to work.

            Install Snort.org rules

            • Do NOT Install

            • Install Basic Rules or Premium rules  (use this option)

            This is part that I think you might missed.  See image to verify

            Yeah, I did this the first several times and it just was not working. I must have removed and installed the package like 20 times. Finally I started playing with the "Edit Interface" button and suddenly the ET rules updated but not the SNORT rules. I just did not change the oinkcode back to just the code from the full file path I had eventually used. Someone's tutorial somewhere had the full path name with the oinkcode at the end which is why I did this after I had no luck with just the code.

            Needless to say, now it is working of course.  Thank you.

            I will say I selected ALL the rules and my Memory usage jumped from 20% to 80% with my 2gb Corsair LLPRO DDR RAM.
            I am running on an ASUS A8N-SLI board with an Opteron 180 dual core overclocked to 2.7GHz.
            I am thinking about going to get a cheap Kingston SSDNow V300 120GB SSD for $90 to maybe perk things up a little bit. I currently have and old 80gb SATA drive installed. I also had the thought of replacing the mobo/RAM/CPU  with  a Z77/i5-3770K CPU/16GB RAM

            I currently use a pair of Intel EXPI9301CT PCI-Express Gigabit Network Cards for the LAN and WAN interfaces

            This has been new and exciting so far. I have only been working with it for 3 days and spend a great deal of time learning about this wonderful piece of software.

            1 Reply Last reply Reply Quote 0
            • bmeeksB
              bmeeks
              last edited by

              All Rules is probably a bit much.  My suggestion, if you are new to Snort, is to use the Snort VRT rules and then on the Categories tab do the following:

              Enable Flowbit-Auto Resolution (very important)
              Select the IPS Policy checkbox and then choose Connectivity in the drop-down.  This is a good starter policy to get your feet wet.
              Click Save.

              Next, go to the Preprocessors tab and enable all the preprocessors except Sensitive Data and the two SCADA ones at the bottom.  You can enable Sensitive Data if you want, but be prepared for lots of alerts!
              Click Save at the bottom of this page.

              I would not recommend "blocking offenders" at first.  That setting is on the Edit Interface tab.  Let it cook for a day or two and keep an eye on the Alerts tab to see what it logs.  When you get a good feel for that, you can try the Balanced policy on the Categories tab.  It is a bit more restrictive.

              Also be prepared to see a ton of HTTP_INSPECT alerts complaining about all sorts of stuff.  Most of these are in fact harmless and are simply due to web sites not always following the standards.  You can completely disable HTTP_INSPECT alerts, but still get the protocol normalization other rules need, if you check the box on the Preprocessors tab in the HTTP_INSPECT section to disable alerts.

              Bill

              1 Reply Last reply Reply Quote 0
              • T
                Topper727
                last edited by

                I would like to make note. SSD's for Caching is not the best option.. They have number or write times and you could kill the SSD with Cache.. Not sure how long before that would happen but it will.  You will get good speed but short life.

                Dell 2950 g3 server
                Intel(R) Xeon(R) CPU E5430 @ 2.66GHz
                Current: 2000 MHz, Max: 2667 MHz
                8 CPUs: 2 package(s) x 4 core(s)
                8152 MiB and 600meg 10k drive
                Pfsense 2.4 .. Hoping to get the phpvirtualbox going again.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.