Snort VRT rule issues in Snort & Suricata – "Server returned error code 422."
-
Thank you to both of you, I didn't know these tarballs were for different versions; being an economist I am educated to +1 ( ;D ), so I noobly assumed the version number would simply increase +1 with every new update.
Which brings me to: which snapshot should I use for the latest Suricata? My Suricata is 2.1.5, should I always simply use the latest Snort snapshot for the latest Suricata?
Truth be known, I suspect the Suricata people would really rather folks use the Emerging Threats (ET) rules anyway. ET provides monetary support to the Suricata project. So far as I know, the Sourcefire/Cisco/Snort folks do not provide financial support to Suricata. Snort and Suricata are in a sort of friendly competition you could say…
.Bill
JFL in the past also recommended to use Suricata rules. What I'm doing is currently simply testing Suricata on PPPoE (WAN1) and running Snort on cable/DHCP (WAN2). The reason for that being Snort has more rules than Suricata has (a remark from you in the past, Bill, about Suricata not parsing +/- 700 Snort rules).
I once had a (rather boring) email conversation with the ET-people about their pricing (which is ridiculous for home users and SMB's).
I tried to explain in simple terms why we invented a so called demand curve in economics. They seemed not to have had introduction to economics 101 nor appeared interested in that. I do recall my last email being something like this: "let me attempt in a different way to explain what I mean: would you rather sell to 10 customers at 1500 / year, or to 100.000 customers at 1 / year, given your marginal costs in this digital line of products is next to zero?".
I never got an answer back.
Yes, the world hates us because "we caused the financial crisis" (no, we did not, we warned for this to happen ever since 1972; crooked banksters and corrupted politicians (by definition not real economists) caused this mess), but we do have some useful tools in our tool bag. There's a reason so many startups fail in their first 5 years.
( ;D ;D ;D )
Bye :P
-
Snort free rules are not downloading since June 16th. Anyone else?
Downloading Snort VRT rules md5 file snortrules-snapshot-2970.tar.gz.md5... Snort VRT rules md5 download failed. Server returned error code 422. Server error message was: Snort VRT rules will not be updated. -
@G.D.:
Snort free rules are not downloading since June 16th.
I just downloaded them 60 minutes ago. MD5: 55718e94de95408ec54566dcb993c67c. You are downloading nonexistent snapshot.
-
@G.D.:
Snort free rules are not downloading since June 16th.
I just downloaded them 60 minutes ago. MD5: 55718e94de95408ec54566dcb993c67c. You are downloading nonexistent snapshot.
Thanks. What do I need to tweak to fix this?
pfSense 2.1.5-RELEASE (amd64)
Snort 2.9.7.0 pkg v3.2.3 -
@G.D.:
Thanks. What do I need to tweak to fix this?
pfSense 2.1.5-RELEASE (amd64)
Snort 2.9.7.0 pkg v3.2.3The current package version is 3.2.5 on 2.2.x and 2.9.7.2 pkg v3.2.4 on 2.1.x
-
Upgraded to 2.9.7.2 and it seems to have fixed the issue.
Starting rules update... Time: 2015-07-01 12:42:38 Downloading Snort VRT rules md5 file snortrules-snapshot-2972.tar.gz.md5... Checking Snort VRT rules md5 file... There is a new set of Snort VRT rules posted. Downloading file 'snortrules-snapshot-2972.tar.gz'... Done downloading rules file. Downloading Emerging Threats Open rules md5 file emerging.rules.tar.gz.md5... Checking Emerging Threats Open rules md5 file... There is a new set of Emerging Threats Open rules posted. Downloading file 'emerging.rules.tar.gz'... Done downloading rules file. Extracting and installing Snort VRT rules... Using Snort VRT precompiled SO rules for FreeBSD-8-1 ... Installation of Snort VRT rules completed. Extracting and installing Emerging Threats Open rules... Installation of Emerging Threats Open rules completed. Copying new config and map files... Updating rules configuration for: WAN ... Updating rules configuration for: LAN ... The Rules update has finished. Time: 2015-07-01 12:46:15So, what happened, they retired the 2.9.7.0 version? I hope 2.9.7.2 stays working, as this seems to be the last version for pfSense 2.1.5…
Thanks!
-
@G.D.:
Upgraded to 2.9.7.2 and it seems to have fixed the issue.
So, what happened, they retired the 2.9.7.0 version? I hope 2.9.7.2 stays working, as this seems to be the last version for pfSense 2.1.5…
Thanks!
Yes, the Snort Team has a life cycle program for each version of Snort, and the Snort rules packages are tied to specific versions of the Snort binary. So 2.9.7.0 has gone EOL along with its rules tarball. The current Snort version is 2.9.7.3.
Due to other life cycle issues with FreeBSD 8.3 (which is the code base for pfSense 2.1 and earlier), new packages no longer compile properly for pfSense 2.1.x. So that's why Snort is frozen at 2.9.7.2 on pfSense 2.1. You need to bite the bullet and upgrade to pfSense 2.2.x, otherwise Snort will eventually stop working on 2.1.x pfSense (because you won't be able to get new rules updates).
Bill
-
How do you do a manual upgrade of the snort package? I running pfs 2.1.5 and can't afford to upgrade beyond 2.1.5 because anything beyond 2.1.5 break squid proxy with traffic shapping limiter.
Please advise and thank you in advance.
-
Yes, the Snort VRT will periodically deprecate older rules packages. Each version of Snort (and the associated rules tarball) have a life cycle of support. At EOL (End of Life), they quit posting rules updates for the older versions of Snort.
You will need to move up to pfSense 2.2.x to keep using the Snort package. I expect them to drop 2.9.7.2 rules support in the not too distant future. You can visit the Snort web site and they post the EOL dates for each version someplace there. Might have to search a bit to find it as it's not always easy to locate.
Bill
-
Still running 2.1.5-RELEASE (i386)
On Sep 09 I upgraded to Snort 2.9.7.2 pkg v2.9.7.2 pkg v3.2.5, VRT Rules never downloadedSep 13 04:17:01 php: snort_check_for_rule_updates.php: [Snort] Server returned error code 422... Sep 13 04:17:01 php: snort_check_for_rule_updates.php: [Snort] Snort VRT rules md5 download failed... -
Still running 2.1.5-RELEASE (i386)
On Sep 09 I upgraded to Snort 2.9.7.2 pkg v2.9.7.2 pkg v3.2.5, VRT Rules never downloadedSep 13 04:17:01 php: snort_check_for_rule_updates.php: [Snort] Server returned error code 422... Sep 13 04:17:01 php: snort_check_for_rule_updates.php: [Snort] Snort VRT rules md5 download failed...You must upgrade both pfSense and then the Snort package. The Snort VRT has discontinued support of the older rules. Each version of Snort has a life cycle, and at the end of the life cycle for a particular version they stop providing rules packages for that version.
Bill
-
Created a PR to get this removed from the 2.1.x packages feed, since the package is useless now.
https://github.com/pfsense/pfsense-packages/pull/1065
