pfSense Gold Subscription

Author Topic: Registered Snort VRT user - Suricata doesn't automatically get scheduled updates  (Read 202 times)

0 Members and 1 Guest are viewing this topic.

Offline drewsaur

  • Jr. Member
  • **
  • Posts: 28
  • Karma: +1/-0
    • View Profile
Hello,

I am a registered (paying) Snort VRT user - I have Suricata configured with my oinkcode to retrieve my rules, once per day, but it never does. Emerging Threats rules download daily per the schedule.

I should add that I have followed all instructions per https://forum.pfsense.org/index.php?topic=124054.0

What else might I be missing?
« Last Edit: November 25, 2017, 08:07:08 pm by drewsaur »

Offline bmeeks

  • Hero Member
  • *****
  • Posts: 3158
  • Karma: +818/-0
    • View Profile
Hello,

I am a registered (paying) Snort VRT user - I have Suricata configured with my oinkcode to retrieve my rules, once per day, but it never does. Emerging Threats rules download daily per the schedule.

I should add that I have followed all instructions per https://forum.pfsense.org/index.php?topic=124054.0

What else might I be missing?

You have to do two things:

(1) -- make sure only your Oinkcode is entered into the provided box.  Do not enter the entire URL you get from the Snort VRT site.  Just enter the Oinkcode random number value (it's that mix of letters and numbers).

(2) -- tell Suricata which current rules package to download.  Suricata is not Snort, so it has no internal way of knowing which rules package to grab.  Snort is hard-coded to a specific rules package version that matches the binary version.  Not so for Suricata.  Have you read this sticky post in this forum?  https://forum.pfsense.org/index.php?topic=124054.0

The current filename is snortrules-snapshot-2990.tar.gz

Bill

Offline drewsaur

  • Jr. Member
  • **
  • Posts: 28
  • Karma: +1/-0
    • View Profile
Yes, as I indicated in my post, I followed those instructions per the sticky post.

Thank you for whatever additional information you may be able to provide, and I am using that precise filename as well.

Offline bmeeks

  • Hero Member
  • *****
  • Posts: 3158
  • Karma: +818/-0
    • View Profile
Yes, as I indicated in my post, I followed those instructions per the sticky post.

Thank you for whatever additional information you may be able to provide, and I am using that precise filename as well.

What does the Rules Update Log say on the UPDATES tab?  Open it up and paste the contents here (or the last update session which will be at the bottom of the log).  It will print an error if there is failure, and that error can help locate your issue.

Also realize the Snort VRT rules generally only update twice a week on Tuesdays and Thursdays.  They do not get daily updates like the ET rules.

Bill

Offline drewsaur

  • Jr. Member
  • **
  • Posts: 28
  • Karma: +1/-0
    • View Profile
The typical update looks like this...the Snort MD5 checksum never seems to update, and I have let it go for about a week at a time with no updates whatsoever...

Starting rules update...  Time: 2017-11-20 04:30:00
   Downloading Emerging Threats Open rules md5 file emerging.rules.tar.gz.md5...
   Checking Emerging Threats Open rules md5 file...
   Emerging Threats Open rules are up to date.
   Downloading Snort VRT rules md5 file snortrules-snapshot-2990.tar.gz.md5...
   Checking Snort VRT rules md5 file...
   Snort VRT rules are up to date.
The Rules update has finished.  Time: 2017-11-20 04:30:03

Starting rules update...  Time: 2017-11-21 04:30:00
   Downloading Emerging Threats Open rules md5 file emerging.rules.tar.gz.md5...
   Checking Emerging Threats Open rules md5 file...
   There is a new set of Emerging Threats Open rules posted.
   Downloading file 'emerging.rules.tar.gz'...
   Done downloading rules file.
   Downloading Snort VRT rules md5 file snortrules-snapshot-2990.tar.gz.md5...
   Checking Snort VRT rules md5 file...
   Snort VRT rules are up to date.
   Extracting and installing Emerging Threats Open rules...
   Installation of Emerging Threats Open rules completed.
   Copying new config and map files...
   Updating rules configuration for: WAN ...
   Updating rules configuration for: LAN ...
   Restarting Suricata to activate the new set of rules...
   Suricata has restarted with your new set of rules.
The Rules update has finished.  Time: 2017-11-21 04:32:22

Thank you for the tip about Tuesdays and Thursdays. I will look closely at what happens this coming week on those days and I will report back here.
« Last Edit: November 26, 2017, 01:42:54 pm by drewsaur »

Offline bmeeks

  • Hero Member
  • *****
  • Posts: 3158
  • Karma: +818/-0
    • View Profile
My own Snort VRT rules last updated on November 21.  So probably nothing to worry about.  Either nothing has been needed on the rule creation front for a while, or the Snort VRT folks took a long holiday for Thanksgiving in the U.S. ...  :)

You can follow the Snort VRT rules releases here:  https://www.snort.org/downloads/#rule-downloads

Bill
« Last Edit: November 28, 2017, 01:36:31 pm by bmeeks »

Offline drewsaur

  • Jr. Member
  • **
  • Posts: 28
  • Karma: +1/-0
    • View Profile
My own Snort VRT rules last updated on November 21.  So probably nothing to worry about.  Either nothing has been needed on the rule creation front for a while, or the Snort VRT folks took a long holiday for Thanksgiving in the U.S. ...  :)

You can follow the Snort VRT rules releases here:  https://www.snort.org/downloads/#rule-downloads

Bill

Thank you. As it turns out, yes, I was simply being impatient:

Starting rules update...  Time: 2017-11-29 04:30:00
   Downloading Emerging Threats Open rules md5 file emerging.rules.tar.gz.md5...
   Checking Emerging Threats Open rules md5 file...
   There is a new set of Emerging Threats Open rules posted.
   Downloading file 'emerging.rules.tar.gz'...
   Done downloading rules file.
   Downloading Snort VRT rules md5 file snortrules-snapshot-2990.tar.gz.md5...
   Checking Snort VRT rules md5 file...
   There is a new set of Snort VRT rules posted.
   Downloading file 'snortrules-snapshot-2990.tar.gz'...
   Done downloading rules file.
   Extracting and installing Emerging Threats Open rules...
   Installation of Emerging Threats Open rules completed.
   Extracting and installing Snort VRT rules...
   Installation of Snort VRT rules completed.
   Copying new config and map files...
   Updating rules configuration for: WAN ...
   Updating rules configuration for: LAN ...
   Restarting Suricata to activate the new set of rules...
   Suricata has restarted with your new set of rules.
The Rules update has finished.  Time: 2017-11-29 04:32:20

Thank you again for all your very informative help.