Snort signatures update issue?
-
Dear all,
I changed the performance to mwm, ran: ps aux | grep snort. I got only one process of snort running:
ps aux | grep snort
root 22778 0.0 0.1 1292 908 ?? Is 9:06AM 0:00.00 snort2c -w /var/
root 25496 0.0 0.1 1552 656 p0 R+ 9:14AM 0:00.00 grep snortThen I did ssh to the box and ran snort manually like this:
snort -c /usr/local/etc/snort/snort.conf -l /var/log/
I got the following:
…...........
..............
+++++++++++++++++++++++++++++++++++++++++++++++++++
Initializing rule chains...
ERROR: /usr/local/etc/snort/rules/ddos.rules(25) => Invalid port: [31335,35555]
Fatal Error, Quitting..After I edited by disabling the problematic ddos.rules(25) using web console then run the following command:
snort -c /usr/local/etc/snort/snort.conf -l /var/log/
Then I ran ps aux | grep snort again:
Now I got both of snort processes runningps aux | grep snort
root 29629 0.0 0.1 1292 908 ?? Is 9:26AM 0:00.00 snort2c -w /var/
root 29786 0.0 14.5 151584 147892 p0 S 9:27AM 0:04.94 snort -c /usr/loI ran nmap using -sS switch but I did not get any alerts. Moreover, everything I want to update the snort I got this error:
Warning: file_get_contents(http://www.snort.org/pub-bin/downloads.cgi): failed to open stream: HTTP request failed! HTTP/1.1 403 Forbidden in /usr/local/www/snort_download_rules.php on line 98
You last updated the ruleset: 2008-04-13
Your snort rulesets are up to date.I have two questions
1. Does the snort in pfsense have to be started manually from the console? Or perhaps, I missed something.
2. Is the error regarding the update rule normal means we can ignore it?Thanks, any response will be much appreciated.
-
I think I got it solved by restarting the machine, after reboot the snort runs good.
Just wondering if there's another way than reboot to solve this. -
I've got the same same error on the update tab and the ddos rules. Fresh 1.2 install.
-
Looks like they changed the download location?
What is the new location if you visit their website? They used to tell the location.
-
http://www.snort.org/pub-bin/oinkmaster.cgi/[OINKCODE]/filename
The rules still downloads. The thing not working is the page giving updates information.
-
Snort still not working properly after update.
" Warning: file_get_contents(http://www.snort.org/pub-bin/oinkmaster.cgi): failed to open stream: HTTP request failed! HTTP/1.1 403 You must be a registered user with a valid oink code to download this file. in /usr/local/www/snort_download_rules.php on line 98 ".
Any further ideas on how to fix this?
-
New Version available
Current: 2.7.0.1_4 -
wierd..still see this when i reinstall snort
snort-2.7.0.1_1 100%
however i do see the 1_4 version when se what package that are installed
is this correct?
/F -
Re-installed SNORT ( currently 2.7.0.1_4 ) & changed the code on line 98 ( to http://www.snort.org/pub-bin/oinkmaster.cgi from http://www.snort.org/pub-bin/download.cgi ) and currently getting:
" Warning: file_get_contents(http://www.snort.org/pub-bin/oinkmaster.cgi): failed to open stream: HTTP request failed! HTTP/1.1 403 You must be a registered user with a valid oink code to download this file. in /usr/local/www/snort_download_rules.php on line 98 "
I even got a new Oink Code & still getting the same Error. Is there any information on the SNORT website on this issue?
-
After install snort, im try to update snort. (which cannot enter the rules; need to update first).
but it keep downloading till more than an hour. i already try for 2nd time.
any clue? Thanks in advance
-
Same goes to me. after i update snort package, i try to update snort rules, waiting for about 20 minutes+- to finished,then this message came out:
Warning: file_get_contents(http://www.snort.org/pub-bin/downloads.cgi): failed to open stream: HTTP request failed! HTTP/1.1 403 Forbidden in /usr/local/www/snort_download_rules.php on line 98 You last updated the ruleset: 2008-04-29
Your snort rulesets are up to date.
-
Ok,,
This is not a snort or pfsense problem. This is a PHP issue, exactly with file_get_contents function, line 98 in /usr/local/www/snort_download_rules.php
–> $text = file_get_contents("$URL_SNORT");I trying with a temporally "solution" using curl instead file_get_contents.
I have this on my script:
from /usr/local/www/snort_download_rules.php:
sleep(1); $URL_SNORT="http://www.snort.org/pub-bin/downloads.cgi"; $ch = curl_init(); curl_setopt($ch, CURLOPT_HEADER, 0); curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt($ch, CURLOPT_URL, $URL_SNORT); $text = curl_exec($ch); //$text = file_get_contents("$URL_SNORT",NULL); echo " -
Any update on this issue?
-
The issue lies in the fact that file_get_contents() does not send a user agent (or empty string), in this case.
I believe you are able to set the user agent in two ways:- Specify the user agent in the php.ini (not checked)
- Specify the user agent in the script (checked - working)
An example would be (around line 98 /usr/local/www/snort_download_rules.php):
ini_set('user_agent','snort download script');
$text=file_get_contents("http://www.snort.org/pub-bin/downloads.cgi"); -
So can i get a confirmation on what is working of the scripts, or reinstallation? I have 1.2 Release with Snort installed a week ago.
-
I have tried both fixes (curl and ini_set - seperatley) but finding that it takes forever to download the rules files no matter what I use.
If I download the exact same URL that /usr/local/www/snort_download_rules.php is using at the same time but on a desktop that is on the LAN net behind pfSense, it downloads in a couple of minutes. (no caches involved)Multiple attempts on the pfSense box return the same results.
Traffic shaper is turned off and pfSense is 1.2 prod.ls on the temp dir (eg /tmp/snortRulesJ0rIr3/) show it downloading, but very slow ..
-rw-r–r-- 1 root wheel 167363 Jun 14 20:02 snortrules-snapshot-CURRENT.tar.gz
-rw-r--r-- 1 root wheel 6637801 Jun 14 20:26 snortrules-snapshot-CURRENT.tar.gzOnce done, the rules file is a complete file, but Snort downloading seems to hang and does not download the md5 hash.
Is there any other additional hacking needs to be done to the snort_download_rules.php file to allow it to progress ?
Does anybody have the above fixes to consistently work ?Thanks.