Posted by Roadrunnere42 on Jul 03, 2016; 9:45pm
URL: https://itus.accessinnov.com/Fw-upgrade-version-8-3-2-minor-error-checks-for-broken-snort-rules-resulting-in-no-internet-connecti-tp1080.html

Hi
Following a post by breda i started to look into why certain people would loose internet after the nightly snort rule updates, this would not happen all the time.

The reason for loosing internet connection is because snort detects a problem with one snort rule which causes a fatal error and snort stops running resulting in no internet.

In earlier releases of the fw_upgrade script I put in place checks for duplicate rules, then checks for snort rules with the same sid number,   thought I had it cracked but breda had a fatal error after downloading the new snort rules. As loosing internet is not really ok and for non technical people this causes big  problems or if your business relies on continues connectivity to the net, I decided to put in a check to see if after downloading the new snort rules  a fatal error occurred.

The script looks in the system logs for a message  SNORT FATAL ERROR which is created every time this error occurs , if this message is present then it means that something has gone wrong with the download or one of the snort rules has been created wrong, the script will then rename the old snort rules then delete the rule set, restart snort then download a new rule set. If after 3 attempts of downloading the rules and receiving a fatal error message it will stop downloading and I’m afraid that human intervention is needed.

I believe that this should sort the problem of no internet after downloading new snort rules which are wrongly created  (syntax errors do occur ).

If you have already have fw_upgrade version 8.3.1 then just copy new version to /sbin folder overwriting old version. If you have old version follow instruction in old post Fw_upgrade version 8.3 release

updated post
corrected error version number in script  should not be 8.3.12 but 8.3.2

fw_upgrade.fw_upgrade


roadrunnere42