Snort can't download Snort VRT Rules [solved]
-
I was getting the same 422 error last night but this morning it was working for me as well. I assume they were just making some changes on their end.
-
Mine still refuses to download the paid subscription rules right now in Suricata. In Snort there doesn't seem to be this problem :o
Is there perhaps a way to manually set the new update URL somewhere?
Thank you :P
-
@Hollander:
Mine still refuses to download the paid subscription rules right now in Suricata. In Snort there doesn't seem to be this problem :o
Is there perhaps a way to manually set the new update URL somewhere?
Thank you :P
You can manually edit this file: /usr/local/pkg/suricata/suricata.inc
Look for this line near the top of the file: define('VRT_DNLD_FILENAME', 'snortrules-snapshot-edge.tar.gz');
This is the filename it downloads.
To change the URL, edit this file: /usr/local/www/suricata/suricata_check_for_rule_updates.php
Look for this line near the top: if (!defined("VRT_DNLD_URL"))
define("VRT_DNLD_URL", "https://www.snort.org/reg-rules/");This is the URL it downloads from.
EDIT UPDATE
Just took a look at the Snort.org web site and they have really changed things up since I last signed in. Both Snort and Suricata will need a little tweaking to work going forward. Looks like the snort_edge rules I was using for Suricata are completely gone now on the new site. So the Suricata file will need to be edited as I indicated above and the filename changed. I will work on a quick update and submit a Pull Request in the next few days.Bill
-
@Hollander:
Mine still refuses to download the paid subscription rules right now in Suricata. In Snort there doesn't seem to be this problem :o
Is there perhaps a way to manually set the new update URL somewhere?
Thank you :P
You can manually edit this file: /usr/local/pkg/suricata/suricata.inc
Look for this line near the top of the file: define('VRT_DNLD_FILENAME', 'snortrules-snapshot-edge.tar.gz');
This is the filename it downloads.
To change the URL, edit this file: /usr/local/www/suricata/suricata_check_for_rule_updates.php
Look for this line near the top: if (!defined("VRT_DNLD_URL"))
define("VRT_DNLD_URL", "https://www.snort.org/reg-rules/");This is the URL it downloads from.
EDIT UPDATE
Just took a look at the Snort.org web site and they have really changed things up since I last signed in. Both Snort and Suricata will need a little tweaking to work going forward. Looks like the snort_edge rules I was using for Suricata are completely gone now on the new site. So the Suricata file will need to be edited as I indicated above and the filename changed. I will work on a quick update and submit a Pull Request in the next few days.Bill
Thank you very much, Bill, I'll look forward to your update ;D
Bill, on another note, could I ask: did you happen to see what your fellow-hero Jflsakfja wrote in this thread:
https://forum.pfsense.org/index.php?topic=78062.msg427132#msg427132
Note to bmeeks: Pretty please bring back the old way of handling manually disabled rules. Manually disabling a rule from either the alerts tab or the rules page, should turn the rule into a manually disabled rule (pale yellow). Currently the rules page turns it into the rule's default state. This is NOT recommended when using this list. Having both setting to manually disabled, allows the list to be used as it was meant to be used. Enable all, then find the 10 that need to be disabled, disable them, and apply. Rinse, repeat
This morning I started with disabling some Suricata rules, and then understood what Jfl meant; it appears something has changed ever since the old way of working, but it is indeed more cumbersome now; you have to click twice instead of once to disable a rule (and then wait until pfSense is ready again). And with so many rules to disable (Jfl's tutorial), that is not really very comfortable :-[
[/color]Could you be persuaded to switch it back to the old way of working?
Thank you ;D
-
@Hollander:
@Hollander:
Mine still refuses to download the paid subscription rules right now in Suricata. In Snort there doesn't seem to be this problem :o
Is there perhaps a way to manually set the new update URL somewhere?
Thank you :P
You can manually edit this file: /usr/local/pkg/suricata/suricata.inc
Look for this line near the top of the file: define('VRT_DNLD_FILENAME', 'snortrules-snapshot-edge.tar.gz');
This is the filename it downloads.
To change the URL, edit this file: /usr/local/www/suricata/suricata_check_for_rule_updates.php
Look for this line near the top: if (!defined("VRT_DNLD_URL"))
define("VRT_DNLD_URL", "https://www.snort.org/reg-rules/");This is the URL it downloads from.
EDIT UPDATE
Just took a look at the Snort.org web site and they have really changed things up since I last signed in. Both Snort and Suricata will need a little tweaking to work going forward. Looks like the snort_edge rules I was using for Suricata are completely gone now on the new site. So the Suricata file will need to be edited as I indicated above and the filename changed. I will work on a quick update and submit a Pull Request in the next few days.Bill
Thank you very much, Bill, I'll look forward to your update ;D
Bill, on another note, could I ask: did you happen to see what your fellow-hero Jflsakfja wrote in this thread:
https://forum.pfsense.org/index.php?topic=78062.msg427132#msg427132
Note to bmeeks: Pretty please bring back the old way of handling manually disabled rules. Manually disabling a rule from either the alerts tab or the rules page, should turn the rule into a manually disabled rule (pale yellow). Currently the rules page turns it into the rule's default state. This is NOT recommended when using this list. Having both setting to manually disabled, allows the list to be used as it was meant to be used. Enable all, then find the 10 that need to be disabled, disable them, and apply. Rinse, repeat
This morning I started with disabling some Suricata rules, and then understood what Jfl meant; it appears something has changed ever since the old way of working, but it is indeed more cumbersome now; you have to click twice instead of once to disable a rule (and then wait until pfSense is ready again). And with so many rules to disable (Jfl's tutorial), that is not really very comfortable :-[
[/color]Could you be persuaded to switch it back to the old way of working?
Thank you ;D
Yes, I can see about bringing back the old behavior. But I also want to at least include a mechanism for resetting any forced rules back to their default state with "no color". So that probably means another icon on the page. I will try out some ideas.
Bill
-
Yes, I can see about bringing back the old behavior. But I also want to at least include a mechanism for resetting any forced rules back to their default state with "no color". So that probably means another icon on the page. I will try out some ideas.
Bill
Heros will remain Heros ;D
-
Hi!
I have been unable to download VRT-rules since July 10. I run three different machines, and one of them, with paid Subscriber rules, gets error code 422. The other two with free Registered User rules work fine.Jonna
-
Hi!
I have been unable to download VRT-rules since July 10. I run three different machines, and one of them, with paid Subscriber rules, gets error code 422. The other two with free Registered User rules work fine.Jonna
My paid VRT downloads still work. Are you positive that your subscription is still current? Just checking… ;).
I had one failure of the paid VRT download during the window when the Snort group had web site issues, but since those were fixed several days ago I've not hand any other problems.
Bill
-
Yes, thanks :-) it is paid for about another 6 months, so that shouldn´t be the problem. Tried un- and and reinstalling Snort-package, but no, doesn´t work.
I read that there will be an upgrade to 2.9.6.1 soon so I guess I just have to wait and see if that will fix it.Jonna
-
Yes, thanks :-) it is paid for about another 6 months, so that shouldn´t be the problem. Tried un- and and reinstalling Snort-package, but no, doesn´t work.
I read that there will be an upgrade to 2.9.6.1 soon so I guess I just have to wait and see if that will fix it.Jonna
One other thing – try deleting and re-adding your Oink code on the paid rules box just in case it got corrupted. And you do have two different Oink codes, I assume: one for the paid subscription and another for the free registered user subscription.
One other question -- are you using the current Snort 2.9.6.0 pkg v3.0.13 version?
Bill
-
Yes, different Oink-codes. Works with free subscription but not with paid…I have sent a question to Snort.org but still haven´t got an answer. I guess it must have to do with my subscription. We will see. And yes, 2.9.6.0 pkg v3.0.13 confirmed.
Thanks for trying to help
Jonna -
Yes, different Oink-codes. Works with free subscription but not with paid…I have sent a question to Snort.org but still haven´t got an answer. I guess it must have to do with my subscription. We will see. And yes, 2.9.6.0 pkg v3.0.13 confirmed.
Thanks for trying to help
JonnaOK. I really wonder if it might be something weird with your code. Mine works, and so far as I know, most everyone else's here on the Forum works now or I would expect a ton of posts. Post back with any update.
Bill
-
Yes there was a problem with the paid account. After resetting and getting a new oink-code it works again.
Thanks again
Jonna -
Snort 2.9.6.2 pkg v3.1 is now available under package downloads
after I updated snort my VRT Rules downloaded.
-
Snort 2.9.6.2 pkg v3.1 is now available under package downloads
after I updated snort my VRT Rules downloaded.
The new version addresses the URL change at snort.org and also the older rules went EOL yesterday.
Bill
-
How do I get the new version? The only package available to me is 2.9.6.0 pkg v3.0.13
I don't seem to be able to use 2.9.6.3 via the gui.
-
How do I get the new version? The only package available to me is 2.9.6.0 pkg v3.0.13
I don't seem to be able to use 2.9.6.3 via the gui.
This tells me you are probably running an older version of pfSense (like 2.0.x something). Versions older than 2.1 are no longer supported as the underlying binary packages required for 2.0.x pfSense are no longer being built by the pfSense team.
If this is the case for you, then you need to upgrade to at least pfSense 2.1 or higher to use the latest Snort package.
Bill
-
Yeah… except that I am running 2.1.4 :(
This seems to be affecting both Netgate appliances I have... APU2 and a 7541
Bill
-
Yeah… except that I am running 2.1.4 :(
This seems to be affecting both Netgate appliances I have... APU2 and a 7541
Bill
OK, the fact you have Netgate devices gives me a possible clue. I believe (but I don't know for sure) they may have a separate updates infrastructure for Netgate devices to maintain compatibility with their hardware. If my guess is true, it may be their repository has not yet synchronized with the latest version. If you have a support contract, give them this info and see if they can help. If not, perhaps you can ping one of the pfSense developers who frequent this forum.
Bill
-
Hi…
I am also facing this problem, I am using :
pfsense 2.0.1
snort 2.9.6.2 pkg v3.1.4 (using the free oinkcode)the error log says :
Starting rules update... Time: 2014-11-10 10:33:28
Downloading Snort VRT rules md5 file snortrules-snapshot-2923.tar.gz.md5...
Snort VRT rules md5 download failed.
Server returned error code 422.
Server error message was:
Snort VRT rules will not be updated....anyone know what the problem is?
I also try to register different account for oinkcode.. but still shows error...
thanks
