Snort Rules Update

General questions.
User avatar
H&M
Posts: 471
Joined: May 29th, 2014, 9:38 pm
Location: Europe

Re: Snort Rules Update

Post by H&M » October 17th, 2014, 5:39 pm

From ids.cgi I've extracted this code for updating snort rules

Get User setup regarding Snort Rules source:

Code: Select all

if ($snortsettings{'RULES'} eq 'subscripted') {
        $url=" https://www.snort.org/rules/snortrules-snapshot-2961.tar.gz?oinkcode=$snortsettings{'OINKCODE'}";
} elsif ($snortsettings{'RULES'} eq 'registered') {
        $url=" https://www.snort.org/rules/snortrules-snapshot-2961.tar.gz?oinkcode=$snortsettings{'OINKCODE'}";
} elsif ($snortsettings{'RULES'} eq 'community') {
        $url=" https://www.snort.org/rules/community";
} else {
        $url="http://rules.emergingthreats.net/open/snort-2.9.0/emerging.rules.tar.gz";
}


Here is the download - using above $url

Code: Select all

wget -r --no-check-certificate -o /var/tmp/log --output-document=/var/tmp/snortrules.tar.gz $url


Here is the install:

Code: Select all

/usr/local/bin/oinkmaster.pl -v -s -u file:///var/tmp/snortrules.tar.gz -C /var/ipfire/snort/oinkmasinkmaster.conf -o /etc/snort/rules >>/var/tmp/log 2>&1 &


Hope that is helps...
Have a nice day / Bonne journée / Haben Sie einen guten Tag
H&M
Image
Image

User avatar
lucifercipher
Posts: 258
Joined: April 1st, 2014, 7:54 pm
Location: Earth, Moon & Mars

Re: Snort Rules Update

Post by lucifercipher » October 18th, 2014, 6:30 pm

The automatic updates has an issue. It happens once in a while if you have emerging and snort rules enabled. Some times, the rules are not properly updated and you have to manually erase that rule and fetch update again. There is a reason why Suricata is under consideration for IPfire 3.x and this issue must be one of the reason apart for lesser CPU requirements for Suricata compared to SNORT . If you can then stick to manual updates for now.

P.S: You can always check the script source and find out what function is being called for snort rules updates.
Image

User avatar
H&M
Posts: 471
Joined: May 29th, 2014, 9:38 pm
Location: Europe

Re: Snort Rules Update

Post by H&M » October 20th, 2014, 8:13 pm

Hi,

From the post with URLFILTER Update I started to check /etc/fcron.*
All /etc/fcron.* are empty.

I believe this is the reason why snort (and URLFilter) are not updated.

For URLFilter I did a Symlync to the autoupdate.pl.

But for snort I need to write a script that combines the above 2 commands: the fetch part and the update itself...


:(
Have a nice day / Bonne journée / Haben Sie einen guten Tag
H&M
Image
Image

BeBiMa
Posts: 2842
Joined: July 30th, 2011, 12:55 pm
Location: Mannheim

Re: Snort Rules Update

Post by BeBiMa » October 20th, 2014, 9:35 pm

H&M wrote:From the post with URLFILTER Update I started to check /etc/fcron.*
All /etc/fcron.* are empty.

I believe this is the reason why snort (and URLFilter) are not updated.

For URLFilter I did a Symlync to the autoupdate.pl.



I don't think these are related. We don't know yet why the symlink for urlfilter update was missing. ;)
Image
Unitymedia Cable Internet ( 32MBit )

User avatar
sebden206
Posts: 13
Joined: February 13th, 2015, 11:56 am
Location: Deutschland BRB

Re: Snort Rules Update

Post by sebden206 » February 24th, 2015, 11:15 am

Hey, is there any progress to the automatic-update for snort rules?

Just need a cron script for myself that updates the pattern from emergingthreats :-\
Image

IcyFire
Posts: 23
Joined: January 4th, 2016, 3:43 am

Re: Snort Rules Update

Post by IcyFire » January 25th, 2016, 4:41 pm

I too and plenty more would like to see an auto update feature for SNORT rules.

Is there a link to directly donate to this wishlist add-on?
Image

User avatar
twilson
Posts: 457
Joined: October 31st, 2014, 9:26 am
Location: Germany

Re: Snort Rules Update

Post by twilson » January 26th, 2016, 11:09 am


bloater99
Posts: 482
Joined: October 13th, 2014, 3:47 pm

Re: Snort Rules Update

Post by bloater99 » January 26th, 2016, 10:25 pm

The only wishlist item that can currently be donated to is RAID availability. I have sent probably more than one email to the wishlist address asking to add this to a wishlist, but I never received replies and never saw it appear as something to donate towards. That leads me to believe this is not an important feature to the developers.

If it is important to you, please send them an email at wishlist@ipfire.org and tell them.

Thanks.
Image

Image

Phane
Posts: 66
Joined: April 26th, 2013, 1:57 pm

Re: Snort Rules Update

Post by Phane » January 28th, 2016, 4:18 am

viewtopic.php?f=27&t=10768&p=72384&#p69517

This might work for you as a temporary fix.

Note: You must download all three rule sets (Registered, community, and emerging threats) manually at least once before this script will download them. If you don't want all three, just download the one(s) you do and I believe it should still work for those.

nvm
Posts: 9
Joined: August 23rd, 2013, 8:57 am

Re: Snort Rules Update

Post by nvm » March 15th, 2016, 11:07 am

Hi Guys,

i guess this "feature" is still required by many users...would be nice if an update mechanism will be available in one of the future updates:)

IcyFire
Posts: 23
Joined: January 4th, 2016, 3:43 am

Re: Snort Rules Update

Post by IcyFire » May 4th, 2016, 3:30 am

Not sure why an auto-update feature for SNORT rules was never implemented with IPFire's IDS. It seems this should be the default when using signature based rules. Much like having antivirus which does not automatically update to be protected from the latest threats.

I too have emailed multiple times trying to get this feature included as a funded option. I do not get any response.
Image

bloater99
Posts: 482
Joined: October 13th, 2014, 3:47 pm

Re: Snort Rules Update

Post by bloater99 » May 4th, 2016, 1:29 pm

IcyFire wrote:Not sure why an auto-update feature for SNORT rules was never implemented with IPFire's IDS. It seems this should be the default when using signature based rules. Much like having antivirus which does not automatically update to be protected from the latest threats.

I too have emailed multiple times trying to get this feature included as a funded option. I do not get any response.
That sucks (not getting any response). I love this firewall, but this just makes no sense. Your anti-virus analogy, though, makes perfect sense.

I've donated to IPFire, but they'd get even more from me (and doubtless many others) if they decided to crowd fund this feature. I have no interest in captive portals or RAID support. I'd rather have my firewall to be able to do something as basic as keep IDS rules up to date on its own.
Image

Image

IcyFire
Posts: 23
Joined: January 4th, 2016, 3:43 am

Re: Snort Rules Update

Post by IcyFire » May 12th, 2016, 8:24 pm

Over on this post: viewtopic.php?f=50&t=11483&p=80450&hili ... ata#p80450 It has been posted that Suricata is scheduled for IPfire? If this is correct, then perhaps there has been no update because IPFire will soon support Suricata? Wishful thinking? I hope not! Suricata can utilize multicore processors to process traffic. Snort v3 is multithread enabled but its still in Alpha. It would be nice to verify if Suricata is in fact coming to IPfire... and that it will automatically update rulesets.
ummeegge wrote: Suricata is planed for IPFire-3.x which will need a undefined time until a release. Nevertheless it should be possible to build it by your own if you are interessted in it.
I think i have posted a link in here but here again --> http://wiki.ipfire.org/en/development/build if you want to try a build of your own IPFire ;) .

I think you will need LibYaml as a minimum dependency for Suricata at the current actual IPFire core 86 but i haven´t had a deeper look into it.

Please use another thread for further questions in that topic cause we walk out of the subject.

Another beside info, have made a small installerscript for OSSEC server and or agent nstallation on IPFire which can be found in here --> viewtopic.php?f=4&p=80449#p80449 .
Image

IcyFire
Posts: 23
Joined: January 4th, 2016, 3:43 am

Re: Snort Rules Update

Post by IcyFire » May 18th, 2016, 3:24 pm

I received a response from Lightning Wire Labs about Snort not automatically updating. At least this is an answer where there was none before. I just wish this feature could go to funding to get implemented.
indeed this does not automatically update at the moment. We have no plans to add this functionality at the moment.

The reason for that is that a custom selection of the rules is hard to preserve after the update.

Your Lightning Wire Labs Team,
Best regards,
-Michael Tremer
Image

bloater99
Posts: 482
Joined: October 13th, 2014, 3:47 pm

Re: Snort Rules Update

Post by bloater99 » May 19th, 2016, 8:56 pm

Hmm. I wonder how pfSense does it then.
Image

Image

Post Reply