Project

General

Profile

Actions

Bug #2208

closed

Snort: Only the last updated rules get extracted, others get deleted

Added by Seb A almost 13 years ago. Updated over 12 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
Snort
Target version:
-
Start date:
02/16/2012
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Affected Version:
All
Affected Plus Version:
Affected Architecture:

Description

Steps to reproduce:
1. Install Snort via the Package Manager
2. Configure Global Settings to download Snort.org rules and Emerging Threats rules.
3. Save.
4. Update Rules.
5. In my case, the download from Snort.org failed, perhaps because I'd just installed them on another pfSense (the CARP master) with the same Oinkmaster code.
6. Retrying immediately also fails, so wait an hour or so and the download from Snort.org works.
7. Look in /usr/local/etc/snort/rules and note that the Emerging Threats rules are missing!
8. Expected result: emerging-*.rules, pfsense-voip.rules, snort_*.rules are all present.
9. Actual result: as above, but no emerging-*.rules.
10. Go back to the GUI and click update rules again.
11. There are no updates of course, but it still does something.
12. Look in /usr/local/etc/snort/rules and note that the Emerging Threats AND the Snort.org rules are missing! Only the pfsense-voip.rules is present.
13. Repeat a few more times but the situation is now static as in #12.

14. Just to verify that this is a problem: create a Snort interface and see what rules it gets: it only gets the current rules from /usr/local/etc/snort/rules so it's missing most of them.

This affects me now on pfSense 2.0.1 and the latest published Snort package from today (labelled Snort 2.9.1 pkg v. 2.1.1). But I also had the same issue on Snort 2.9.0.5 pkg v. 2.0 on pfSense 2.0 installed October last year. I resolved it by deleting emerging.rules.tar.gz.md5 and snortrules-snapshot-2905.tar.gz.md5 from /usr/local/etc/snort and pressing Update Rules again. Removing the md5 files causes it to redownload both files and this time it worked OK (as both were downloaded OK).

What I wonder: is I wait a few more hours and either Snorg.org OR ET rules (but not both) are updated on the server, and then I do an Update Rules, does the other one get deleted? Based on the above, I suspect so...

Actions

Also available in: Atom PDF