Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Snort not updating?

    Scheduled Pinned Locked Moved pfSense Packages
    27 Posts 12 Posters 14.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      tekkon
      last edited by

      I tried altering 'server.max-write-idle'. Didn't work for me.

      2008-12-31 21:20:18: (log.c.97) server started
      2008-12-31 21:36:01: (server.c.1247) NOTE: a request for /snort_download_rules.php timed out after writing 15678 bytes. We waited 720 seconds. If this a problem increase server.max-write-idle
      2008-12-31 21:39:55: (log.c.97) server started
      2008-12-31 21:42:24: (network_openssl.c.221) SSL (error): 5 0 22 Unknown error: 0
      2008-12-31 21:42:24: (connections.c.606) connection closed: write failed on fd 16
      2008-12-31 22:32:08: (network_openssl.c.110) SSL: 5 -1 1 Operation not permitted
      2008-12-31 22:32:08: (connections.c.606) connection closed: write failed on fd 11
      2008-12-31 22:32:09: (network_openssl.c.110) SSL: 5 -1 1 Operation not permitted
      2008-12-31 22:32:09: (connections.c.606) connection closed: write failed on fd 15
      2008-12-31 22:40:56: (server.c.1247) NOTE: a request for /snort_download_rules.php timed out after writing 15678 bytes. We waited 3600 seconds. If this a problem increase server.max-write-idle
      2008-12-31 22:45:20: (connections.c.132) (warning) close: 19 Socket is not connected
      2008-12-31 23:03:50: (server.c.1247) NOTE: a request for /snort_download_rules.php timed out after writing 15678 bytes. We waited 3600 seconds. If this a problem increase server.max-write-idle
      

      I try download the update with firefox. The update is over 50Mb. I'll try "server.max-write-idle      =  14400" next to see if I'll can complete the update this time.

      1 Reply Last reply Reply Quote 0
      • A
        adrianhensler
        last edited by

        You can watch in the /tmp folder after your start your download; there is a snortRulesxxxx named temp folder and you can watch the download complete in there.  That was you can get a time estimate of what your tmieout value should be.  The download seemed to complete in 8 minutes from my location so giving it a value of 12 minutes seemed the right thing to do.

        1 Reply Last reply Reply Quote 0
        • T
          tekkon
          last edited by

          Thanks for the tip adrianhensler.
          Finally gotten snort to update after more than 12 hours with multiple md5 checksum failures.

          The webConfigurator can be restarted from the pfSense console setup (cli main menu).

          Still some problems with snort. Whenever I open the snort blocked list (https://10.0.0.138/snort_blocked.php) the webgui would hang.

          This is /var/lor/lighttpd.error.log while whe webgui hang.

          2008-12-31 23:39:21: (log.c.97) server started
          2009-01-01 01:10:15: (network_openssl.c.110) SSL: 5 -1 1 Operation not permitted
          2009-01-01 01:10:15: (connections.c.606) connection closed: write failed on fd 11
          2009-01-01 01:23:47: (network_openssl.c.110) SSL: 5 -1 1 Operation not permitted
          2009-01-01 01:23:47: (connections.c.606) connection closed: write failed on fd 13
          2009-01-01 11:03:15: (connections.c.132) (warning) close: 18 Connection reset by peer
          2009-01-01 16:10:12: (network_openssl.c.110) SSL: 5 -1 1 Operation not permitted
          2009-01-01 16:10:12: (connections.c.606) connection closed: write failed on fd 11
          2009-01-01 17:13:19: (network_openssl.c.110) SSL: 5 -1 1 Operation not permitted
          2009-01-01 17:13:19: (connections.c.606) connection closed: write failed on fd 13
          2009-01-01 17:17:42: (log.c.97) server started
          2009-01-01 19:10:13: (network_openssl.c.110) SSL: 5 -1 1 Operation not permitted
          2009-01-01 19:10:13: (connections.c.606) connection closed: write failed on fd 11
          2009-01-01 22:51:56: (connections.c.132) (warning) close: 12 Socket is not connected
          2009-01-02 01:13:58: (mod_fastcgi.c.2618) FastCGI-stderr: XML error at line 1, check URL
          
          2009-01-02 02:37:06: (connections.c.132) (warning) close: 12 Socket is not connected
          2009-01-03 00:21:58: (network_openssl.c.110) SSL: 5 -1 1 Operation not permitted
          2009-01-03 00:21:58: (connections.c.606) connection closed: write failed on fd 11
          2009-01-03 00:22:00: (network_openssl.c.110) SSL: 5 -1 1 Operation not permitted
          2009-01-03 00:22:00: (connections.c.606) connection closed: write failed on fd 19
          2009-01-03 00:22:00: (network_openssl.c.110) SSL: 5 -1 1 Operation not permitted
          2009-01-03 00:22:00: (connections.c.606) connection closed: write failed on fd 27
          2009-01-03 00:22:03: (network_openssl.c.110) SSL: 5 -1 1 Operation not permitted
          2009-01-03 00:22:03: (connections.c.606) connection closed: write failed on fd 35
          2009-01-03 00:36:25: (network_openssl.c.110) SSL: 5 -1 1 Operation not permitted
          2009-01-03 00:36:25: (connections.c.606) connection closed: write failed on fd 14
          2009-01-03 00:36:26: (network_openssl.c.110) SSL: 5 -1 1 Operation not permitted
          2009-01-03 00:36:26: (connections.c.606) connection closed: write failed on fd 22
          2009-01-03 00:36:26: (network_openssl.c.110) SSL: 5 -1 1 Operation not permitted
          2009-01-03 00:36:26: (connections.c.606) connection closed: write failed on fd 29
          2009-01-03 00:36:42: (network_openssl.c.110) SSL: 5 -1 1 Operation not permitted
          2009-01-03 00:36:42: (connections.c.606) connection closed: write failed on fd 16
          2009-01-03 00:36:44: (network_openssl.c.110) SSL: 5 -1 1 Operation not permitted
          2009-01-03 00:36:44: (connections.c.606) connection closed: write failed on fd 21
          2009-01-03 00:36:44: (network_openssl.c.110) SSL: 5 -1 1 Operation not permitted
          2009-01-03 00:36:44: (connections.c.606) connection closed: write failed on fd 31
          2009-01-03 00:38:53: (network_openssl.c.110) SSL: 5 -1 1 Operation not permitted
          2009-01-03 00:38:53: (connections.c.606) connection closed: write failed on fd 13
          2009-01-03 00:38:54: (network_openssl.c.110) SSL: 5 -1 1 Operation not permitted
          2009-01-03 00:38:54: (connections.c.606) connection closed: write failed on fd 25
          2009-01-03 00:38:54: (network_openssl.c.110) SSL: 5 -1 1 Operation not permitted
          2009-01-03 00:38:54: (connections.c.606) connection closed: write failed on fd 33
          2009-01-03 12:33:55: (connections.c.262) SSL: -1 5 54 Connection reset by peer
          
          1 Reply Last reply Reply Quote 0
          • D
            drarkanex
            last edited by

            Snort updating is not working for me either.

            I'm on a t1 with 6 voice streams and 1 128k Data stream so the internet is rather slow.  with the default settings, i get the timeout after 360 seconds and it's probably due to the file is too large so adding the server.max-write-idle results in the Web server not responding to any requests, meaning, when I add that line and restart the webconfigurator or even reboot the firewall, I go for the pfSense webapp and it sits there for 30 sec and times out.  Putting "server.max-write-idle = "360"  results in the same.  Take the line completely out resolves the web server not coming up issue but i'm not able to download snort rules.  what gives?

            ** UPDATE **

            What I was able to do was download the CURRENT snapshot of the ruleset and I copied it to /usr/local/etc/snort and untarred it there.  Seems like it's working now but I had to do it manually.  Having it update from the pfsense webapp on my slow connection was taking way too long so I guess manual is the way to go for this setup.

            1 Reply Last reply Reply Quote 0
            • E
              eethore
              last edited by

              i have the same trouble…

              uninstalling snort

              hiks...hiks... :'(

              1 Reply Last reply Reply Quote 0
              • D
                darwinmach
                last edited by

                @tekkon:

                Still some problems with snort. Whenever I open the snort blocked list (https://10.0.0.138/snort_blocked.php) the webgui would hang.

                I see the same issues. Also noticed that while it gets stuck… a PHP process goes up to 100% CPU load.

                I tried using the blocked page on HTTP instead of HTTPS, as the logs seem to indicate the the issue is with OpenSSL, still the same issue.

                Can anyone tell me where the snort_blocked.php file is located? I kinda want to take a look at it...

                1 Reply Last reply Reply Quote 0
                • A
                  adrianhensler
                  last edited by

                  # find / -name snort_blocked.php
                  /usr/local/www/snort_blocked.php
                  
                  

                  :)

                  1 Reply Last reply Reply Quote 0
                  • D
                    darwinmach
                    last edited by

                    cool thanks :P

                    1 Reply Last reply Reply Quote 0
                    • D
                      Darkk
                      last edited by

                      @darwinmach:

                      @tekkon:

                      Still some problems with snort. Whenever I open the snort blocked list (https://10.0.0.138/snort_blocked.php) the webgui would hang.

                      I see the same issues. Also noticed that while it gets stuck… a PHP process goes up to 100% CPU load.

                      I tried using the blocked page on HTTP instead of HTTPS, as the logs seem to indicate the the issue is with OpenSSL, still the same issue.

                      Can anyone tell me where the snort_blocked.php file is located? I kinda want to take a look at it...

                      At first I thought maybe I have an older hardware like PIII with 512MB of ram but seeing this glad to know I am not the only one experiencing this.

                      1 Reply Last reply Reply Quote 0
                      • V
                        Visseroth
                        last edited by

                        I'd like to state that I am having the same problem. The furthest I get is "Downloading current snort rules….." and nothing happens after that. It shows the link at which it is downloading and nothing.

                        If anyone has any ideas I have 2 routers that are doing the exact same thing that we can test on. Feel free to contact me via ëmal visseroth  a t  g mail  d 0 t  c0m.

                        1 Reply Last reply Reply Quote 0
                        • jimpJ
                          jimp Rebel Alliance Developer Netgate
                          last edited by

                          @Visseroth:

                          I'd like to state that I am having the same problem. The furthest I get is "Downloading current snort rules….." and nothing happens after that. It shows the link at which it is downloading and nothing.

                          If anyone has any ideas I have 2 routers that are doing the exact same thing that we can test on. Feel free to contact me via ëmal visseroth  a t  g mail  d 0 t  c0m.

                          Try this:
                          http://doc.pfsense.org/index.php/Why_won%27t_snort_properly_download_rules%3F

                          Which also links to this relevant forum post:
                          http://forum.pfsense.org/index.php/topic,13333.0.html

                          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                          Need help fast? Netgate Global Support!

                          Do not Chat/PM for help!

                          1 Reply Last reply Reply Quote 0
                          • V
                            Visseroth
                            last edited by

                            Well I highly doubt that it's a slow network problem as I have 6Meg down and it's consistent and I have tried updating numerous times before consulting the forums but none the less, I am going to update to the 1.2.3 and see what happens. I'll post back shortly if it fixes my oinker.

                            Edit:
                            OK, so I downloaded 1.2.3-2 update as of the 15th and it breaks my firewall enough that I can not get any internet through the firewall and PfSense complains that it's unable to load some rules so I am taking it back to 1.2.2 until the 1.2.3 final is released, I just wish that Snort would quite breaking between releases and updates.

                            Question: When is the 1.2.3 release expected and if it'll be a while is there a temporary fix for this issue that seems to be plaguing everyone?

                            1 Reply Last reply Reply Quote 0
                            • T
                              tomom
                              last edited by

                              Snort package is working in 1.2.2? Updating is fixed?

                              1 Reply Last reply Reply Quote 0
                              • V
                                Visseroth
                                last edited by

                                Nope, not that I've noticed. I have 3 boxes that are not updating correctly. They get stuck at updating and will gradually say downloading but that's as far as it ever gets.

                                At this point any suggestions are greatly appreciated as I have found no answers that work.

                                1 Reply Last reply Reply Quote 0
                                • D
                                  Darkk
                                  last edited by

                                  I wonder if Snort have an issue with MySQL as it uses it to create tables and keeping track of the blocks.

                                  1 Reply Last reply Reply Quote 0
                                  • D
                                    drarkanex
                                    last edited by

                                    Snort Updating is fixed in Current 2.0 alpha.  I haven't had a problem with it thus far.

                                    1 Reply Last reply Reply Quote 0
                                    • V
                                      Visseroth
                                      last edited by

                                      That's great but 2.0 is still alpha, when is it going beta and when is it going to be final?

                                      1 Reply Last reply Reply Quote 0
                                      • First post
                                        Last post
                                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.