Rules Download with Snort 2.9.4.6 pkg v2.6.0 / pfsense 2.1

java007md

I recently updated to 2.1, followed by an updated to snort. The system is performing smoothly, however rules are not being updated automatically. I tried reinstalling snort with no change. Changing the frequency of the updates 6HRs/12HRs has not effect (still no auto updating).

Manually updating rules works fine.

Automatic rules downloads worked fine under the previous version of pfsense/snort.

Any suggestions for troubleshooting/resolving would be appreciated.

Thanks!

fragged

Looking at Snort.org it seems like the last Snort VRT rules upgrade is from 26th. I manually hit the update button this morning and there was a update for ET rules. The log suggest that auto updates are working, but there was nothing to update.

What does the update log look like for you?

java007md

recent log entries are below:

Starting rules update…  Time: 2013-09-21 16:05:06
Downloading Snort VRT md5 file...
Checking Snort VRT md5 file...
Snort VRT rules are up to date.
The Rules update has finished.  Time: 2013-09-21 16:05:07

Starting rules update...  Time: 2013-09-24 21:02:14
Downloading Snort VRT md5 file...
Checking Snort VRT md5 file...
There is a new set of Snort VRT rules posted. Downloading...
Done downloading rules file.
Extracting and installing Snort VRT rules...
Using Snort VRT precompiled SO rules for FreeBSD-8-1 ...
Installation of Snort VRT rules completed.
Copying new config and map files...
Updating rules configuration for: WAN ...
Updating rules configuration for: LAN1 ...
Updating rules configuration for: LAN2 ...
Restarting Snort to activate the new set of rules...
Snort has restarted with your new set of rules.
The Rules update has finished.  Time: 2013-09-24 21:03:20

Starting rules update...  Time: 2013-09-26 23:41:14
Downloading Snort VRT md5 file...
Checking Snort VRT md5 file...
There is a new set of Snort VRT rules posted. Downloading...
Done downloading rules file.
Extracting and installing Snort VRT rules...
Using Snort VRT precompiled SO rules for FreeBSD-8-1 ...
Installation of Snort VRT rules completed.
Copying new config and map files...
Updating rules configuration for: WAN ...
Updating rules configuration for: LAN1 ...
Updating rules configuration for: LAN2 ...
Restarting Snort to activate the new set of rules...
Snort has restarted with your new set of rules.
The Rules update has finished.  Time: 2013-09-26 23:41:48

Starting rules update...  Time: 2013-09-28 00:06:01
Downloading Snort VRT md5 file 'snortrules-snapshot-2946.tar.gz.md5'...
Snort VRT md5 download failed.
Server returned error code '504'.
Snort VRT rules will not be updated.
The Rules update has finished.  Time: 2013-09-28 00:07:28

Starting rules update...  Time: 2013-09-28 00:10:05
Downloading Snort VRT md5 file 'snortrules-snapshot-2946.tar.gz.md5'...
Checking Snort VRT md5 file...
Snort VRT rules are up to date.
The Rules update has finished.  Time: 2013-09-28 00:10:57

Starting rules update...  Time: 2013-09-29 00:54:29
Downloading Snort VRT md5 file 'snortrules-snapshot-2946.tar.gz.md5'...
Checking Snort VRT md5 file...
Snort VRT rules are up to date.
The Rules update has finished.  Time: 2013-09-29 00:54:30

Starting rules update...  Time: 2013-09-29 10:35:34
Downloading Snort VRT md5 file 'snortrules-snapshot-2946.tar.gz.md5'...
Checking Snort VRT md5 file...
Snort VRT rules are up to date.
The Rules update has finished.  Time: 2013-09-29 10:35:35

Starting rules update...  Time: 2013-09-30 20:37:54
Downloading Snort VRT md5 file 'snortrules-snapshot-2946.tar.gz.md5'...
Checking Snort VRT md5 file...
Snort VRT rules are up to date.
The Rules update has finished.  Time: 2013-09-30 20:37:55

---

Those were all manual updates. Under the previous snort version, the automatic attempts were showing up as well.

bmeeks

There are usually only two updates per week.  You can check the actual Snort site to verify.  There was a new update posted today (October 1).  They generally update on Tuesday and Thursday afternoons.

I have personally found that updates are more reliable if you set the start time to 1:00 AM or later.  My suspicion is some backup or maintenance process on the Snort VRT servers frequently interferes with updates too close to midnight.

Bill

java007md

Thank you Bill. I changed the update time to 0203 and will give it a week to see if the update actually occurs. If not, manual updates are not that much of a burden.

bmeeks

@java007md:

Thank you Bill. I changed the update time to 0203 and will give it a week to see if the update actually occurs. If not, manual updates are not that much of a burden.

The auto updates should "just work".  The only problem I encountered was back when mine were set for 00:03.  That was the old default in the package, and those would fail quite often for me (the Snort VRT updates, that is).  That's the main reason I added the option to choose other update start times.  Once I moved to something more than an hour past midnight, I have not had another problem.

I don't remember ever having a problem with the Emerging Threats updates.

Bill

java007md

To close this out (hopefully), the problem resolved itself after a power outage and restart of the pfsense box. Auto downloads appear to be working fine as expected. Thanks!