Snort can't download Snort VRT Rules [solved]
-
Hello there!
New to pfsense (just installed for the first time yesterday). So far it's running great.
I've also installed Snort, and seem to have an issue downloading Snort VRT Rules. The following is the output of the log:
Starting rules update… Time: 2014-07-09 19:02:31
Downloading Snort VRT rules md5 file snortrules-snapshot-2960.tar.gz.md5...
Snort VRT rules md5 download failed.
Server returned error code 422.
Server error message was:
Snort VRT rules will not be updated.I also noticed that Snort has gone through facelift today (July 9th) … according to their blog anyway. http://blog.snort.org/
Is anyone else facing the same issue? I noticed some of their pages don't work too.
Thanks!
-
Hello dmitripr,
With Snorts re-organization, they moved some of the URLs around. I think they have since fixed this issue.
But we might have to adjust the URL in the future as I am not sure how long the old URL will continue to be accessible.
http://seclists.org/snort/2014/q3/121
EDIT:
If it is still failed, try a "FORCE" update
-
I checked this morning and it started working. Must have been a glitch due to their recent changes.
Thanks!
-
Hello dmitripr,
With Snorts re-organization, they moved some of the URLs around. I think they have since fixed this issue.
But we might have to adjust the URL in the future as I am not sure how long the old URL will continue to be accessible.
http://seclists.org/snort/2014/q3/121
EDIT:
If it is still failed, try a "FORCE" update
I will keep an eye on this and adjust the package URL as necessary. Will be starting work on updating to 2.9.6.1 any day now. I can include any URL changes in the new release.
Bill
-
I was getting the same 422 error last night but this morning it was working for me as well. I assume they were just making some changes on their end.
-
Mine still refuses to download the paid subscription rules right now in Suricata. In Snort there doesn't seem to be this problem :o
Is there perhaps a way to manually set the new update URL somewhere?
Thank you :P
-
@Hollander:
Mine still refuses to download the paid subscription rules right now in Suricata. In Snort there doesn't seem to be this problem :o
Is there perhaps a way to manually set the new update URL somewhere?
Thank you :P
You can manually edit this file: /usr/local/pkg/suricata/suricata.inc
Look for this line near the top of the file: define('VRT_DNLD_FILENAME', 'snortrules-snapshot-edge.tar.gz');
This is the filename it downloads.
To change the URL, edit this file: /usr/local/www/suricata/suricata_check_for_rule_updates.php
Look for this line near the top: if (!defined("VRT_DNLD_URL"))
define("VRT_DNLD_URL", "https://www.snort.org/reg-rules/");This is the URL it downloads from.
EDIT UPDATE
Just took a look at the Snort.org web site and they have really changed things up since I last signed in. Both Snort and Suricata will need a little tweaking to work going forward. Looks like the snort_edge rules I was using for Suricata are completely gone now on the new site. So the Suricata file will need to be edited as I indicated above and the filename changed. I will work on a quick update and submit a Pull Request in the next few days.Bill
-
@Hollander:
Mine still refuses to download the paid subscription rules right now in Suricata. In Snort there doesn't seem to be this problem :o
Is there perhaps a way to manually set the new update URL somewhere?
Thank you :P
You can manually edit this file: /usr/local/pkg/suricata/suricata.inc
Look for this line near the top of the file: define('VRT_DNLD_FILENAME', 'snortrules-snapshot-edge.tar.gz');
This is the filename it downloads.
To change the URL, edit this file: /usr/local/www/suricata/suricata_check_for_rule_updates.php
Look for this line near the top: if (!defined("VRT_DNLD_URL"))
define("VRT_DNLD_URL", "https://www.snort.org/reg-rules/");This is the URL it downloads from.
EDIT UPDATE
Just took a look at the Snort.org web site and they have really changed things up since I last signed in. Both Snort and Suricata will need a little tweaking to work going forward. Looks like the snort_edge rules I was using for Suricata are completely gone now on the new site. So the Suricata file will need to be edited as I indicated above and the filename changed. I will work on a quick update and submit a Pull Request in the next few days.Bill
Thank you very much, Bill, I'll look forward to your update ;D
Bill, on another note, could I ask: did you happen to see what your fellow-hero Jflsakfja wrote in this thread:
https://forum.pfsense.org/index.php?topic=78062.msg427132#msg427132
Note to bmeeks: Pretty please bring back the old way of handling manually disabled rules. Manually disabling a rule from either the alerts tab or the rules page, should turn the rule into a manually disabled rule (pale yellow). Currently the rules page turns it into the rule's default state. This is NOT recommended when using this list. Having both setting to manually disabled, allows the list to be used as it was meant to be used. Enable all, then find the 10 that need to be disabled, disable them, and apply. Rinse, repeat
This morning I started with disabling some Suricata rules, and then understood what Jfl meant; it appears something has changed ever since the old way of working, but it is indeed more cumbersome now; you have to click twice instead of once to disable a rule (and then wait until pfSense is ready again). And with so many rules to disable (Jfl's tutorial), that is not really very comfortable :-[
[/color]Could you be persuaded to switch it back to the old way of working?
Thank you ;D
-
@Hollander:
@Hollander:
Mine still refuses to download the paid subscription rules right now in Suricata. In Snort there doesn't seem to be this problem :o
Is there perhaps a way to manually set the new update URL somewhere?
Thank you :P
You can manually edit this file: /usr/local/pkg/suricata/suricata.inc
Look for this line near the top of the file: define('VRT_DNLD_FILENAME', 'snortrules-snapshot-edge.tar.gz');
This is the filename it downloads.
To change the URL, edit this file: /usr/local/www/suricata/suricata_check_for_rule_updates.php
Look for this line near the top: if (!defined("VRT_DNLD_URL"))
define("VRT_DNLD_URL", "https://www.snort.org/reg-rules/");This is the URL it downloads from.
EDIT UPDATE
Just took a look at the Snort.org web site and they have really changed things up since I last signed in. Both Snort and Suricata will need a little tweaking to work going forward. Looks like the snort_edge rules I was using for Suricata are completely gone now on the new site. So the Suricata file will need to be edited as I indicated above and the filename changed. I will work on a quick update and submit a Pull Request in the next few days.Bill
Thank you very much, Bill, I'll look forward to your update ;D
Bill, on another note, could I ask: did you happen to see what your fellow-hero Jflsakfja wrote in this thread:
https://forum.pfsense.org/index.php?topic=78062.msg427132#msg427132
Note to bmeeks: Pretty please bring back the old way of handling manually disabled rules. Manually disabling a rule from either the alerts tab or the rules page, should turn the rule into a manually disabled rule (pale yellow). Currently the rules page turns it into the rule's default state. This is NOT recommended when using this list. Having both setting to manually disabled, allows the list to be used as it was meant to be used. Enable all, then find the 10 that need to be disabled, disable them, and apply. Rinse, repeat
This morning I started with disabling some Suricata rules, and then understood what Jfl meant; it appears something has changed ever since the old way of working, but it is indeed more cumbersome now; you have to click twice instead of once to disable a rule (and then wait until pfSense is ready again). And with so many rules to disable (Jfl's tutorial), that is not really very comfortable :-[
[/color]Could you be persuaded to switch it back to the old way of working?
Thank you ;D
Yes, I can see about bringing back the old behavior. But I also want to at least include a mechanism for resetting any forced rules back to their default state with "no color". So that probably means another icon on the page. I will try out some ideas.
Bill
-
Yes, I can see about bringing back the old behavior. But I also want to at least include a mechanism for resetting any forced rules back to their default state with "no color". So that probably means another icon on the page. I will try out some ideas.
Bill
Heros will remain Heros ;D
-
Hi!
I have been unable to download VRT-rules since July 10. I run three different machines, and one of them, with paid Subscriber rules, gets error code 422. The other two with free Registered User rules work fine.Jonna
-
Hi!
I have been unable to download VRT-rules since July 10. I run three different machines, and one of them, with paid Subscriber rules, gets error code 422. The other two with free Registered User rules work fine.Jonna
My paid VRT downloads still work. Are you positive that your subscription is still current? Just checking… ;).
I had one failure of the paid VRT download during the window when the Snort group had web site issues, but since those were fixed several days ago I've not hand any other problems.
Bill
-
Yes, thanks :-) it is paid for about another 6 months, so that shouldn´t be the problem. Tried un- and and reinstalling Snort-package, but no, doesn´t work.
I read that there will be an upgrade to 2.9.6.1 soon so I guess I just have to wait and see if that will fix it.Jonna
-
Yes, thanks :-) it is paid for about another 6 months, so that shouldn´t be the problem. Tried un- and and reinstalling Snort-package, but no, doesn´t work.
I read that there will be an upgrade to 2.9.6.1 soon so I guess I just have to wait and see if that will fix it.Jonna
One other thing – try deleting and re-adding your Oink code on the paid rules box just in case it got corrupted. And you do have two different Oink codes, I assume: one for the paid subscription and another for the free registered user subscription.
One other question -- are you using the current Snort 2.9.6.0 pkg v3.0.13 version?
Bill
-
Yes, different Oink-codes. Works with free subscription but not with paid…I have sent a question to Snort.org but still haven´t got an answer. I guess it must have to do with my subscription. We will see. And yes, 2.9.6.0 pkg v3.0.13 confirmed.
Thanks for trying to help
Jonna -
Yes, different Oink-codes. Works with free subscription but not with paid…I have sent a question to Snort.org but still haven´t got an answer. I guess it must have to do with my subscription. We will see. And yes, 2.9.6.0 pkg v3.0.13 confirmed.
Thanks for trying to help
JonnaOK. I really wonder if it might be something weird with your code. Mine works, and so far as I know, most everyone else's here on the Forum works now or I would expect a ton of posts. Post back with any update.
Bill
-
Yes there was a problem with the paid account. After resetting and getting a new oink-code it works again.
Thanks again
Jonna -
Snort 2.9.6.2 pkg v3.1 is now available under package downloads
after I updated snort my VRT Rules downloaded.
-
Snort 2.9.6.2 pkg v3.1 is now available under package downloads
after I updated snort my VRT Rules downloaded.
The new version addresses the URL change at snort.org and also the older rules went EOL yesterday.
Bill
-
How do I get the new version? The only package available to me is 2.9.6.0 pkg v3.0.13
I don't seem to be able to use 2.9.6.3 via the gui.