Snort free Registered rules MDS fail
-
@bmeeks said in Snort free Registered rules MDS fail:
Could be an Oinkcode problem
Just to make sure that I am not making errors or not following Snort proper procedure, what is the proper procedure to obtain "oink" code. If I got more than once "oink" code, should I use the most recent one or it does not matter?.
-
@andrzejls said in Snort free Registered rules MDS fail:
If I got more than once "oink" code, should I use the most recent one or it does not matter?.
Hi,
i guess you should use the latest one and discard the old one. (MaxMind GeoIP Key is following this procedure)
my 2 cents,
fireodo -
@fireodo
Thanks. Yes, that is what I use; latest oink code. -
Sorry to be late replying again. Had to be away from home for a bit.
I am stumped over your error. As I mentioned, the vast majority of the time this error is caused by a RAM disk and not having enough free space on it to hold the files as they are downloaded. Since you have confirmed you are not using a RAM disk, that eliminates that as a cause.
Just to be complete, are you showing plenty of available space on your disk? I would assume so or you would likely be experiencing other pfSense problems. 256 MB or more of free space should be plenty to download the files and unpack them.
The fact you can login and download the file directly from the Snort site indicates your registration or subscription with them is good. Like @fireodo suggested, make sure you are using the most recently issued Oinkcode if you have gotten more than one. Not sure if older ones would still be good.
To perform the exact same type of download as the Snort package on pfSense is attempting, try this URL in your browser of choice:
https://www.snort.org/rules/snortrules-snapshot-29200.tar.gz?oinkcode={$oinkid}
In the URL above, replace the braces "{}" and the content within with your Oinkcode. So like this as an example:
https://www.snort.org/rules/snortrules-snapshot-29200.tar.gz?oinkcode=123456789
This should result in downloading the rules file using your Oinkcode in the exact same way as the Snort package is attempting on pfSense.
Your error message shows the download succeeded, but when the package code tested the md5sum of the gzip file it downloaded against what the Snort rules website reported was valid, the checksum did not match and thus the downloaded gzip is considered corrupted.
-
@bmeeks
Hi, Thank you for your support and help. I followed your instructions and I was able to download "snortrules-snapshot-29200.tar.gz" file without any problem. It got me thinking about checksum and offloading with Realtek cards. In System/Advanced/Networking there is a setting for "Hardware Checksum Offloading". I check that field and rebooted pfsense as instructed. Long and behold Snort updated successfully. I use old EVGA nForce 750i SLI MB with Reatek build in 1GB NIC for WAN. I think that was the issue all along. Did not realize, I am new to Snort, that this could be an issue with Snort. Proof in the putting will be tomorrow when Snort run through schedules update. -
@andrzejls said in Snort free Registered rules MDS fail:
Hardware Checksum Offloading
The checkmark disables it..
If that fixes it - that is a weird one for sure.
-
Hmm... the checksum setting causing that is definitely unusual. Not that disabling the setting is bad -- it is actually suggested for Snort when inspecting traffic -- but weird that it would cause a corrupted file.
My assumption is that if that setting was causing large downloads to become corrupted you would expect many other issues related to corrupt downloads such as slow websites when browsing, failed Windows updates on Microsoft clients, etc.
It is definitely true that Realtek NICs and FreeBSD are not best friends, though
. -
@bmeeks Yeah I would think if that was causing such a problem you would see its effects elsewhere as well.
An intelligent man is sometimes forced to be drunk to spend time with his fools
If you get confused: Listen to the Music Play
Please don't Chat/PM me for help, unless mod related
SG-4860 24.11 | Lab VMs 2.8, 24.11 -
@bmeeks
Yes, it is strange that this would be a reason for Snort updates to fail, but as you said FreeBSD and Realtek are not best of friends. The real test will be on Wednesday when Snort updated (Tuesday updates) file arrives. On any event I will be purchasing new dual port Intel based NIC card just to be on the safe side.
@johnpoz
I have 1 (one) Windows 11 machine (dual boot with my main Debian based openmediavault 6 NAS which is the default boot) that I occasionally boot into and since my transfer to pfsence about 8 Mo. ago I did noticed difficulties with Microsoft updates. They would fail, Cumulative updates in particular. -
@johnpoz , @bmeeks
Update:
Yesteay I replaced Realtec NIC`s with Dual NIC with Intel 82576 Chip PCI-E card, unchecked " Hardware Checksum Offloading" and rebooted the system as required. Overnight Snort downloaded and successfully updated Registered rules. So, I think this issue is resolved.
I want to thank you both for your help.
