Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort rules will not update - pfSense noobie

    Scheduled Pinned Locked Moved pfSense Packages
    6 Posts 4 Posters 1.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      TCShain
      last edited by

      Hey Folks!

      I have recently become responsible for a web app that is utilizing pfSense with Snort.

      I was not the person to implement the system or establish its running config.

      I am hitting a roadblock attempting to update the snort rules.

      Using the pfSense GUI:

      Services –> Snort
      Rule Updates Tab --> Update Rules

      The GUI responds and displays messages that look like an attempt to update...
      After a few seconds, I am left with the following message:
      "Please wait... You may only check for New PFsense Rules every 15 minutes..."

      However, the rules do not update, and there is zero mention of any attempt to update in the system logs.
      If I navigate back to the "Rule Updates" tab, the last rule update shows that no update has taken place.

      Am I not looking at the correct log file?

      Are there troubleshooting steps anyone might recommend?

      Thanks for the help!

      1 Reply Last reply Reply Quote 0
      • T
        TCShain
        last edited by

        Oh and

        pfSense version 1.2.3

        Snort version 2.8.6

        1 Reply Last reply Reply Quote 0
        • marcellocM
          marcelloc
          last edited by

          Please upgrade. 1.2.3 is really old and package on this version is not maintained any more.

          Treinamentos de Elite: http://sys-squad.com

          Help a community developer! ;D

          1 Reply Last reply Reply Quote 0
          • T
            TCShain
            last edited by

            Aw cmon, no hints or clues?
            How about where you would begin to troubleshoot in the most up to date version?  ;D

            I didn't implement or maintain this build, so I am apprehensive to unleash possible unknown unknowns that may pop up if I were to just update.

            1 Reply Last reply Reply Quote 0
            • bmeeksB
              bmeeks
              last edited by

              @TCShain:

              Aw cmon, no hints or clues?
              How about where you would begin to troubleshoot in the most up to date version?  ;D

              I didn't implement or maintain this build, so I am apprehensive to unleash possible unknown unknowns that may pop up if I were to just update.

              Snort is no longer supported on pfSense 1.2.x versions.  Sorry.  There was a need to use new functions that are only available within 2.x versions of pfSense.  Additionally, the Snort VRT has stopped support for 2.8.x.x versions of the Snort binary.  Therefore the rule sets for that version are no longer available.  That's what the error message is trying to say (although it's not very clear).

              Upgrading is painless.  I suggest moving to pfSense 2.1.  If you only want to go to pfSense 2.0.3, then you need to remove Snort and reinstall after the upgrade is complete.  If you click the checkbox on the Global Settings tab to keep Snort settings, everything will remain in the config.xml file and all your interfaces and such should come back just fine.

              Bill

              1 Reply Last reply Reply Quote 0
              • ?
                A Former User
                last edited by

                As none other than Mr. Allan Jude himself would have said; "Patch your shit!". (not a personal attack in any way, shape and/or form. A strong suggestion to keep up to date with all software)
                As suggested, always upgrade to the latest versions of everything (I'll do my psychic voodoo and say the web app being protected is something based on a no longer maintained version of a webserver, quite possibly IIS).
                The proper procedure to upgrade is: First upgrade, then notify the customers of what's not working. A golden rule in my case. Any system running 1month old software (of which a new version has been available for the past 3 weeks) is to be considered compromised, no questions asked. A zeroing of the drive and,if it's UEFI*,  a new motherboard, installed with a newer version of the software is the only industry accepted practice to recover it.
                As soon as a new update is available, start testing it. You have 24 hours to update the production systems, or they are to be considered highly likely to be compromised and should be treated as hostile to other hosts on the network.

                My personal suggestion is to stop looking for ways to work around a 2 year old appliance and start downloading the new version.

                *there are ways to flash a pre-OS exploit on a motherboard, have been publicly available for the past year. Not publicly available, well that's another story  ;)

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.