Snort rules will not update - pfSense noobie



  • Hey Folks!

    I have recently become responsible for a web app that is utilizing pfSense with Snort.

    I was not the person to implement the system or establish its running config.

    I am hitting a roadblock attempting to update the snort rules.

    Using the pfSense GUI:

    Services –> Snort
    Rule Updates Tab --> Update Rules

    The GUI responds and displays messages that look like an attempt to update...
    After a few seconds, I am left with the following message:
    "Please wait... You may only check for New PFsense Rules every 15 minutes..."

    However, the rules do not update, and there is zero mention of any attempt to update in the system logs.
    If I navigate back to the "Rule Updates" tab, the last rule update shows that no update has taken place.

    Am I not looking at the correct log file?

    Are there troubleshooting steps anyone might recommend?

    Thanks for the help!



  • Oh and

    pfSense version 1.2.3

    Snort version 2.8.6



  • Please upgrade. 1.2.3 is really old and package on this version is not maintained any more.



  • Aw cmon, no hints or clues?
    How about where you would begin to troubleshoot in the most up to date version?  ;D

    I didn't implement or maintain this build, so I am apprehensive to unleash possible unknown unknowns that may pop up if I were to just update.



  • @TCShain:

    Aw cmon, no hints or clues?
    How about where you would begin to troubleshoot in the most up to date version?  ;D

    I didn't implement or maintain this build, so I am apprehensive to unleash possible unknown unknowns that may pop up if I were to just update.

    Snort is no longer supported on pfSense 1.2.x versions.  Sorry.  There was a need to use new functions that are only available within 2.x versions of pfSense.  Additionally, the Snort VRT has stopped support for 2.8.x.x versions of the Snort binary.  Therefore the rule sets for that version are no longer available.  That's what the error message is trying to say (although it's not very clear).

    Upgrading is painless.  I suggest moving to pfSense 2.1.  If you only want to go to pfSense 2.0.3, then you need to remove Snort and reinstall after the upgrade is complete.  If you click the checkbox on the Global Settings tab to keep Snort settings, everything will remain in the config.xml file and all your interfaces and such should come back just fine.

    Bill



  • As none other than Mr. Allan Jude himself would have said; "Patch your shit!". (not a personal attack in any way, shape and/or form. A strong suggestion to keep up to date with all software)
    As suggested, always upgrade to the latest versions of everything (I'll do my psychic voodoo and say the web app being protected is something based on a no longer maintained version of a webserver, quite possibly IIS).
    The proper procedure to upgrade is: First upgrade, then notify the customers of what's not working. A golden rule in my case. Any system running 1month old software (of which a new version has been available for the past 3 weeks) is to be considered compromised, no questions asked. A zeroing of the drive and,if it's UEFI*,  a new motherboard, installed with a newer version of the software is the only industry accepted practice to recover it.
    As soon as a new update is available, start testing it. You have 24 hours to update the production systems, or they are to be considered highly likely to be compromised and should be treated as hostile to other hosts on the network.

    My personal suggestion is to stop looking for ways to work around a 2 year old appliance and start downloading the new version.

    *there are ways to flash a pre-OS exploit on a motherboard, have been publicly available for the past year. Not publicly available, well that's another story  ;)


Log in to reply