pfSense » pfSense Packages

The current rules update process in the Snort package has some shortcomings. In particular, when using both the Emerging Threats and Snort VRT rules together, incorrect sid-msg.map, classification.config and reference.config files are generated. Depending on which particular set of rules has an update during a scheduled update check, the Snort configuration is left with either just the ET config files or just the VRT config files. The desired outcome, when running both rule sets together, is a combined config file set containing the proper entries from both the ET and VRT rules downloads. Without a proper classification.config and reference.config file for the running set of Snort rules, you can get random errors and the Snort process dies if a rule fires and the corresponding classification and/or reference entry cannot be obtained from the classification.config and reference.config files. Additionally, if using barnyard2 to stuff Snort logs into a database, it is vital that a proper sid-msg.map file containing the SID and MSG from all of the "in use" rules be available. Otherwise, barnyard2 will not be able to log the corresponding MSG text from the rule to the database.

The attached "snort_check_for_rule_updates.php" file has new code added that produces a proper set of sid-msg.map, classification.config and reference.config files for the Snort installation regardless of whether just ET, just VRT, or both ET and VRT rules are being used. Please consider adding this code to the current Snort package (and including it in future versions).

There is one other improvement in the "snort_check_for_rule_updates.php" file. I created a loop structure to attempt the automatic updates up to 4 times separated by 30 second sleep periods. Prior to this, I was experiencing timeouts and other download problems regularly. Now, after adding the multiple attempts loop, I have not missed any available ET or VRT rule update.