Snort not updating?

tekkon

I tried altering 'server.max-write-idle'. Didn't work for me.

2008-12-31 21:20:18: (log.c.97) server started
2008-12-31 21:36:01: (server.c.1247) NOTE: a request for /snort_download_rules.php timed out after writing 15678 bytes. We waited 720 seconds. If this a problem increase server.max-write-idle
2008-12-31 21:39:55: (log.c.97) server started
2008-12-31 21:42:24: (network_openssl.c.221) SSL (error): 5 0 22 Unknown error: 0
2008-12-31 21:42:24: (connections.c.606) connection closed: write failed on fd 16
2008-12-31 22:32:08: (network_openssl.c.110) SSL: 5 -1 1 Operation not permitted
2008-12-31 22:32:08: (connections.c.606) connection closed: write failed on fd 11
2008-12-31 22:32:09: (network_openssl.c.110) SSL: 5 -1 1 Operation not permitted
2008-12-31 22:32:09: (connections.c.606) connection closed: write failed on fd 15
2008-12-31 22:40:56: (server.c.1247) NOTE: a request for /snort_download_rules.php timed out after writing 15678 bytes. We waited 3600 seconds. If this a problem increase server.max-write-idle
2008-12-31 22:45:20: (connections.c.132) (warning) close: 19 Socket is not connected
2008-12-31 23:03:50: (server.c.1247) NOTE: a request for /snort_download_rules.php timed out after writing 15678 bytes. We waited 3600 seconds. If this a problem increase server.max-write-idle

I try download the update with firefox. The update is over 50Mb. I'll try "server.max-write-idle      =  14400" next to see if I'll can complete the update this time.

adrianhensler

You can watch in the /tmp folder after your start your download; there is a snortRulesxxxx named temp folder and you can watch the download complete in there.  That was you can get a time estimate of what your tmieout value should be.  The download seemed to complete in 8 minutes from my location so giving it a value of 12 minutes seemed the right thing to do.

tekkon

Thanks for the tip adrianhensler.
Finally gotten snort to update after more than 12 hours with multiple md5 checksum failures.

The webConfigurator can be restarted from the pfSense console setup (cli main menu).

Still some problems with snort. Whenever I open the snort blocked list (https://10.0.0.138/snort_blocked.php) the webgui would hang.

This is /var/lor/lighttpd.error.log while whe webgui hang.

2008-12-31 23:39:21: (log.c.97) server started
2009-01-01 01:10:15: (network_openssl.c.110) SSL: 5 -1 1 Operation not permitted
2009-01-01 01:10:15: (connections.c.606) connection closed: write failed on fd 11
2009-01-01 01:23:47: (network_openssl.c.110) SSL: 5 -1 1 Operation not permitted
2009-01-01 01:23:47: (connections.c.606) connection closed: write failed on fd 13
2009-01-01 11:03:15: (connections.c.132) (warning) close: 18 Connection reset by peer
2009-01-01 16:10:12: (network_openssl.c.110) SSL: 5 -1 1 Operation not permitted
2009-01-01 16:10:12: (connections.c.606) connection closed: write failed on fd 11
2009-01-01 17:13:19: (network_openssl.c.110) SSL: 5 -1 1 Operation not permitted
2009-01-01 17:13:19: (connections.c.606) connection closed: write failed on fd 13
2009-01-01 17:17:42: (log.c.97) server started
2009-01-01 19:10:13: (network_openssl.c.110) SSL: 5 -1 1 Operation not permitted
2009-01-01 19:10:13: (connections.c.606) connection closed: write failed on fd 11
2009-01-01 22:51:56: (connections.c.132) (warning) close: 12 Socket is not connected
2009-01-02 01:13:58: (mod_fastcgi.c.2618) FastCGI-stderr: XML error at line 1, check URL

2009-01-02 02:37:06: (connections.c.132) (warning) close: 12 Socket is not connected
2009-01-03 00:21:58: (network_openssl.c.110) SSL: 5 -1 1 Operation not permitted
2009-01-03 00:21:58: (connections.c.606) connection closed: write failed on fd 11
2009-01-03 00:22:00: (network_openssl.c.110) SSL: 5 -1 1 Operation not permitted
2009-01-03 00:22:00: (connections.c.606) connection closed: write failed on fd 19
2009-01-03 00:22:00: (network_openssl.c.110) SSL: 5 -1 1 Operation not permitted
2009-01-03 00:22:00: (connections.c.606) connection closed: write failed on fd 27
2009-01-03 00:22:03: (network_openssl.c.110) SSL: 5 -1 1 Operation not permitted
2009-01-03 00:22:03: (connections.c.606) connection closed: write failed on fd 35
2009-01-03 00:36:25: (network_openssl.c.110) SSL: 5 -1 1 Operation not permitted
2009-01-03 00:36:25: (connections.c.606) connection closed: write failed on fd 14
2009-01-03 00:36:26: (network_openssl.c.110) SSL: 5 -1 1 Operation not permitted
2009-01-03 00:36:26: (connections.c.606) connection closed: write failed on fd 22
2009-01-03 00:36:26: (network_openssl.c.110) SSL: 5 -1 1 Operation not permitted
2009-01-03 00:36:26: (connections.c.606) connection closed: write failed on fd 29
2009-01-03 00:36:42: (network_openssl.c.110) SSL: 5 -1 1 Operation not permitted
2009-01-03 00:36:42: (connections.c.606) connection closed: write failed on fd 16
2009-01-03 00:36:44: (network_openssl.c.110) SSL: 5 -1 1 Operation not permitted
2009-01-03 00:36:44: (connections.c.606) connection closed: write failed on fd 21
2009-01-03 00:36:44: (network_openssl.c.110) SSL: 5 -1 1 Operation not permitted
2009-01-03 00:36:44: (connections.c.606) connection closed: write failed on fd 31
2009-01-03 00:38:53: (network_openssl.c.110) SSL: 5 -1 1 Operation not permitted
2009-01-03 00:38:53: (connections.c.606) connection closed: write failed on fd 13
2009-01-03 00:38:54: (network_openssl.c.110) SSL: 5 -1 1 Operation not permitted
2009-01-03 00:38:54: (connections.c.606) connection closed: write failed on fd 25
2009-01-03 00:38:54: (network_openssl.c.110) SSL: 5 -1 1 Operation not permitted
2009-01-03 00:38:54: (connections.c.606) connection closed: write failed on fd 33
2009-01-03 12:33:55: (connections.c.262) SSL: -1 5 54 Connection reset by peer

drarkanex

Snort updating is not working for me either.

I'm on a t1 with 6 voice streams and 1 128k Data stream so the internet is rather slow.  with the default settings, i get the timeout after 360 seconds and it's probably due to the file is too large so adding the server.max-write-idle results in the Web server not responding to any requests, meaning, when I add that line and restart the webconfigurator or even reboot the firewall, I go for the pfSense webapp and it sits there for 30 sec and times out.  Putting "server.max-write-idle = "360"  results in the same.  Take the line completely out resolves the web server not coming up issue but i'm not able to download snort rules.  what gives?

** UPDATE **

What I was able to do was download the CURRENT snapshot of the ruleset and I copied it to /usr/local/etc/snort and untarred it there.  Seems like it's working now but I had to do it manually.  Having it update from the pfsense webapp on my slow connection was taking way too long so I guess manual is the way to go for this setup.

eethore

i have the same trouble…

uninstalling snort

hiks...hiks... :'(

darwinmach

@tekkon:

Still some problems with snort. Whenever I open the snort blocked list (https://10.0.0.138/snort_blocked.php) the webgui would hang.

I see the same issues. Also noticed that while it gets stuck… a PHP process goes up to 100% CPU load.

I tried using the blocked page on HTTP instead of HTTPS, as the logs seem to indicate the the issue is with OpenSSL, still the same issue.

Can anyone tell me where the snort_blocked.php file is located? I kinda want to take a look at it...

adrianhensler

# find / -name snort_blocked.php
/usr/local/www/snort_blocked.php

:)

darwinmach

cool thanks :P

Darkk

@darwinmach:

@tekkon:

Still some problems with snort. Whenever I open the snort blocked list (https://10.0.0.138/snort_blocked.php) the webgui would hang.

I see the same issues. Also noticed that while it gets stuck… a PHP process goes up to 100% CPU load.

I tried using the blocked page on HTTP instead of HTTPS, as the logs seem to indicate the the issue is with OpenSSL, still the same issue.

Can anyone tell me where the snort_blocked.php file is located? I kinda want to take a look at it...

At first I thought maybe I have an older hardware like PIII with 512MB of ram but seeing this glad to know I am not the only one experiencing this.

Visseroth

I'd like to state that I am having the same problem. The furthest I get is "Downloading current snort rules….." and nothing happens after that. It shows the link at which it is downloading and nothing.

If anyone has any ideas I have 2 routers that are doing the exact same thing that we can test on. Feel free to contact me via ëmal visseroth  a t  g mail  d 0 t  c0m.

jimp

@Visseroth:

I'd like to state that I am having the same problem. The furthest I get is "Downloading current snort rules….." and nothing happens after that. It shows the link at which it is downloading and nothing.

If anyone has any ideas I have 2 routers that are doing the exact same thing that we can test on. Feel free to contact me via ëmal visseroth  a t  g mail  d 0 t  c0m.

Try this:
http://doc.pfsense.org/index.php/Why_won%27t_snort_properly_download_rules%3F

Which also links to this relevant forum post:
http://forum.pfsense.org/index.php/topic,13333.0.html

Visseroth

Well I highly doubt that it's a slow network problem as I have 6Meg down and it's consistent and I have tried updating numerous times before consulting the forums but none the less, I am going to update to the 1.2.3 and see what happens. I'll post back shortly if it fixes my oinker.

Edit:
OK, so I downloaded 1.2.3-2 update as of the 15th and it breaks my firewall enough that I can not get any internet through the firewall and PfSense complains that it's unable to load some rules so I am taking it back to 1.2.2 until the 1.2.3 final is released, I just wish that Snort would quite breaking between releases and updates.

Question: When is the 1.2.3 release expected and if it'll be a while is there a temporary fix for this issue that seems to be plaguing everyone?

tomom

Snort package is working in 1.2.2? Updating is fixed?

Visseroth

Nope, not that I've noticed. I have 3 boxes that are not updating correctly. They get stuck at updating and will gradually say downloading but that's as far as it ever gets.

At this point any suggestions are greatly appreciated as I have found no answers that work.

Darkk

I wonder if Snort have an issue with MySQL as it uses it to create tables and keeping track of the blocks.

drarkanex

Snort Updating is fixed in Current 2.0 alpha.  I haven't had a problem with it thus far.

Visseroth

That's great but 2.0 is still alpha, when is it going beta and when is it going to be final?