SNORT will not update rules from SNORT.ORG but does update emerging threats



  • First of all I am not a Unix person and have no knowledge of it's workings.
    I have installed the latest version of pfSense with the snort and squid3 packages

    I finally managed to get the emerging threats rules to update after a LOT of trial and error.

    I got the oinkcode from snort and placed it at the end of the file name with the full path to the proper version of the file at snort.org

    Still the registered user updates do not work

    Any ideas?



  • Here is my setup.  I believe maybe you don't have setting right.   Look at mine and see if you get yours to work.

    Install Snort.org rules

    • Do NOT Install

    • Install Basic Rules or Premium rules  (use this option)

    This is part that I think you might missed.  See image to verify

    ![Snap 2013-04-09 at 16.41.41.png_thumb](/public/imported_attachments/1/Snap 2013-04-09 at 16.41.41.png_thumb)
    ![Snap 2013-04-09 at 16.41.41.png](/public/imported_attachments/1/Snap 2013-04-09 at 16.41.41.png)



  • Topper727 is correct.  Just put your actual Oinkcode itself in the text box.  No URL and no filename.  Snort has all of that "under the cover" within the software itself on pfSense.  Your Oinkcode is auto-magically evaluated by the Snort.org website and grants you access to the rules.

    I've been working on a Quick Setup How-To guide for Snort on pfSense updated to show the new screens and features.  Not finished with it yet.

    Bill



  • @Topper727:

    Here is my setup.  I believe maybe you don't have setting right.   Look at mine and see if you get yours to work.

    Install Snort.org rules

    • Do NOT Install

    • Install Basic Rules or Premium rules  (use this option)

    This is part that I think you might missed.  See image to verify

    Yeah, I did this the first several times and it just was not working. I must have removed and installed the package like 20 times. Finally I started playing with the "Edit Interface" button and suddenly the ET rules updated but not the SNORT rules. I just did not change the oinkcode back to just the code from the full file path I had eventually used. Someone's tutorial somewhere had the full path name with the oinkcode at the end which is why I did this after I had no luck with just the code.

    Needless to say, now it is working of course.  Thank you.

    I will say I selected ALL the rules and my Memory usage jumped from 20% to 80% with my 2gb Corsair LLPRO DDR RAM.
    I am running on an ASUS A8N-SLI board with an Opteron 180 dual core overclocked to 2.7GHz.
    I am thinking about going to get a cheap Kingston SSDNow V300 120GB SSD for $90 to maybe perk things up a little bit. I currently have and old 80gb SATA drive installed. I also had the thought of replacing the mobo/RAM/CPU  with  a Z77/i5-3770K CPU/16GB RAM

    I currently use a pair of Intel EXPI9301CT PCI-Express Gigabit Network Cards for the LAN and WAN interfaces

    This has been new and exciting so far. I have only been working with it for 3 days and spend a great deal of time learning about this wonderful piece of software.



  • All Rules is probably a bit much.  My suggestion, if you are new to Snort, is to use the Snort VRT rules and then on the Categories tab do the following:

    Enable Flowbit-Auto Resolution (very important)
    Select the IPS Policy checkbox and then choose Connectivity in the drop-down.  This is a good starter policy to get your feet wet.
    Click Save.

    Next, go to the Preprocessors tab and enable all the preprocessors except Sensitive Data and the two SCADA ones at the bottom.  You can enable Sensitive Data if you want, but be prepared for lots of alerts!
    Click Save at the bottom of this page.

    I would not recommend "blocking offenders" at first.  That setting is on the Edit Interface tab.  Let it cook for a day or two and keep an eye on the Alerts tab to see what it logs.  When you get a good feel for that, you can try the Balanced policy on the Categories tab.  It is a bit more restrictive.

    Also be prepared to see a ton of HTTP_INSPECT alerts complaining about all sorts of stuff.  Most of these are in fact harmless and are simply due to web sites not always following the standards.  You can completely disable HTTP_INSPECT alerts, but still get the protocol normalization other rules need, if you check the box on the Preprocessors tab in the HTTP_INSPECT section to disable alerts.

    Bill



  • I would like to make note. SSD's for Caching is not the best option.. They have number or write times and you could kill the SSD with Cache.. Not sure how long before that would happen but it will.  You will get good speed but short life.


Log in to reply