Snort Updating issue (SSL)
-
@cmb:
this part:
@Merchant:Apr 5 14:01:45 pfsense.XXX.local nginx: 2016/04/05 14:01:45 [crit] 57647#0: *3189 SSL_write() failed (SSL:) (1: Operation not permitted) while sending to client, client: 192.168.0.246, server: , request: "POST /diag_resetstate.php HTTP/1.1", upstream: "fastcgi://unix:/var/run/php-fpm.socket", host: "192.168.0.1", referrer: "https://192.168.0.1/diag_resetstate.php"
is to be expected. When killing all states you kill your connection to nginx as well, which then can no longer use that TCP connection. Similar in any situation that would kill the state(s) of your connections to the GUI.
Hopefully bmeeks can chime in on the Snort update part. It ought to be using ca_root_nss automatically which should have a trusted cert for the Snort rules download, but not sure off the top of my head how that works and haven't checked the source.
thank you for reply
in this threadhttps://forum.pfsense.org/index.php?topic=109148.0
in the above thread i noticed few members saying snort is working okay for them with updating , any idea bmeeks why mine is not working ? should i move to suricata
-
Apr 5 14:01:45 pfsense.XXX.local nginx: 2016/04/05 14:01:45 [crit] 57647#0: *3189 SSL_write() failed (SSL:) (1: Operation not permitted) while sending to client, client: 192.168.0.246, server: , request: "POST /diag_resetstate.php HTTP/1.1", upstream: "fastcgi://unix:/var/run/php-fpm.socket", host: "192.168.0.1", referrer: "https://192.168.0.1/diag_resetstate.php"
i think this is not an snort problem..
PS:
my manually and automatic upgrade works fine in snort on both pfsense maschines (carp sync).
-
Apr 5 14:01:45 pfsense.XXX.local nginx: 2016/04/05 14:01:45 [crit] 57647#0: *3189 SSL_write() failed (SSL:) (1: Operation not permitted) while sending to client, client: 192.168.0.246, server: , request: "POST /diag_resetstate.php HTTP/1.1", upstream: "fastcgi://unix:/var/run/php-fpm.socket", host: "192.168.0.1", referrer: "https://192.168.0.1/diag_resetstate.php"
i think this is not an snort problem..
PS:
my manually and automatic upgrade works fine in snort on both pfsense maschines (carp sync).
thank you for replying . the above quoted by you is not snort issue ( i posted on post #2 )
Last 1000 General Log Entries. (Maximum 1000) Time Process PID Message Apr 6 10:39:39 php /etc/rc.packages: [Snort] Will retry in 15 seconds... Apr 6 10:39:39 php /etc/rc.packages: [Snort] Rules download error: SSL certificate problem: unable to get local issuer certificate Apr 6 10:39:24 php /etc/rc.packages: [Snort] Will retry in 15 seconds... Apr 6 10:39:24 php /etc/rc.packages: [Snort] Rules download error: SSL certificate problem: unable to get local issuer certificate Apr 6 10:39:23 php /etc/rc.packages: [Snort] There is a new set of Snort VRT rules posted. Downloading snortrules-snapshot-2980.tar.gz... Apr 6 10:39:21 php /etc/rc.packages: [Snort] Downloading and updating configured rule sets. Apr 6 10:39:21 php /etc/rc.packages: [Snort] Configuration version is current... Apr 6 10:39:21 php /etc/rc.packages: [Snort] Checking configuration settings version... Apr 6 10:39:21 php /etc/rc.packages: [Snort] Saved settings detected... rebuilding installation with saved settings. Apr 6 10:39:21 check_reload_status Syncing firewall Apr 6 10:39:21 php /etc/rc.packages: Beginning package installation for snort . Apr 6 10:39:20 pkg snort-2.9.8.0 installedi will try uninstall snort and install suricata
-
you can try this to reinstall all needed packages.. me helps to clear my todo ;)
/usr/sbin/pkg update -f /usr/sbin/pkg install -yf pkg pfSense pfSense-kernel-pfSense pfSense-base pfSense-default-configSven
PS:
Suricata not supported: openappid , and over 500 snort rules..
-
you can try this to reinstall all needed packages.. me helps to clear my todo ;)
/usr/sbin/pkg update -f /usr/sbin/pkg install -yf pkg pfSense pfSense-kernel-pfSense pfSense-base pfSense-default-configSven
PS:
Suricata not supported: openappid , and over 500 snort rules..
thank you for the info , i stick with snort
today after working hours i will try update to [code]Version 2.3.r.20160405.2024 is available.[/code] if doing command line upgrade using command you posted , like normal upgrade will it remove all the packages first then install updated pfsense and install packages again and restore settings ? -
@Merchant:
you can try this to reinstall all needed packages.. me helps to clear my todo ;)
/usr/sbin/pkg update -f /usr/sbin/pkg install -yf pkg pfSense pfSense-kernel-pfSense pfSense-base pfSense-default-configSven
PS:
Suricata not supported: openappid , and over 500 snort rules..
thank you for the info , i stick with snort
today after working hours i will try update to [code]Version 2.3.r.20160405.2024 is available.[/code] if doing command line upgrade using command you posted , like normal upgrade will it remove all the packages first then install updated pfsense and install packages again and restore settings ?/usr/sbin/pkg update -f Updating pfSense-core repository catalogue... Fetching meta.txz: 100% 940 B 0.9kB/s 00:01 Fetching packagesite.txz: 100% 2 KiB 1.9kB/s 00:01 Processing entries: 100% pfSense-core repository update completed. 9 packages processed. Updating pfSense repository catalogue... Fetching meta.txz: 100% 940 B 0.9kB/s 00:01 Fetching packagesite.txz: 100% 96 KiB 98.5kB/s 00:01 Processing entries: 100% pfSense repository update completed. 355 packages processed.update the local repository data
/usr/sbin/pkg install -yf pkg pfSense pfSense-kernel-pfSense pfSense-base pfSense-default-config Updating pfSense-core repository catalogue... pfSense-core repository is up-to-date. Updating pfSense repository catalogue... pfSense repository is up-to-date. All repositories are up-to-date. The following 4 package(s) will be affected (of 0 checked): Installed packages to be REINSTALLED: ...install force this packages not remove..
sven
-
@cmb:
this part:
@Merchant:Apr 5 14:01:45 pfsense.XXX.local nginx: 2016/04/05 14:01:45 [crit] 57647#0: *3189 SSL_write() failed (SSL:) (1: Operation not permitted) while sending to client, client: 192.168.0.246, server: , request: "POST /diag_resetstate.php HTTP/1.1", upstream: "fastcgi://unix:/var/run/php-fpm.socket", host: "192.168.0.1", referrer: "https://192.168.0.1/diag_resetstate.php"
is to be expected. When killing all states you kill your connection to nginx as well, which then can no longer use that TCP connection. Similar in any situation that would kill the state(s) of your connections to the GUI.
Hopefully bmeeks can chime in on the Snort update part. It ought to be using ca_root_nss automatically which should have a trusted cert for the Snort rules download, but not sure off the top of my head how that works and haven't checked the source.
Snort and Suricata both just use the internal system calls to download their updates (I think the functions are in pfsense-utils.inc, but can't remember off the top of my head if that's the right include file.). The code most definitely does not call that diag_resetstate.php page! I have no idea where that is coming from. I think if this was a package issue it would be happening for most, if not all users. I lean toward something being wrong on this particular user's install. I don't know what it might be, though.
Bill
-
today morning when i checked update status it was all updated
Snort VRT Rules 4be4f08437dbeb15b23fef3f6424b616 Thursday, 07-Apr-16 00:10:16 IST Snort GPLv2 Community Rules 34a4533fb98dd7b144e9619d7517aa3f Thursday, 07-Apr-16 00:10:16 IST Emerging Threats Open Rules 98ab30888e018a8795f1507e8b9f189d Wednesday, 06-Apr-16 10:42:39 IST Snort OpenAppID Detectors 52f5e20a3c67f2a4a1b9cbc14c2f02ac Thursday, 07-Apr-16 00:10:16 ISTStarting rules update... Time: 2016-04-05 15:08:16 Downloading Snort VRT rules md5 file snortrules-snapshot-2980.tar.gz.md5... Checking Snort VRT rules md5 file... There is a new set of Snort VRT rules posted. Downloading file 'snortrules-snapshot-2980.tar.gz'... Snort VRT rules file download failed. Server returned error 0. The error text was: SSL certificate problem: unable to get local issuer certificate Snort VRT rules will not be updated. Downloading Snort OpenAppID detectors md5 file snort-openappid.tar.gz.md5... Checking Snort OpenAppID detectors md5 file... There is a new set of Snort OpenAppID detectors posted. Downloading file 'snort-openappid.tar.gz'... Snort OpenAppID detectors file download failed. Server returned error 0. The error text was: SSL certificate problem: unable to get local issuer certificate Snort OpenAppID detectors will not be updated. Downloading Snort GPLv2 Community Rules md5 file community-rules.tar.gz.md5... Checking Snort GPLv2 Community Rules md5 file... There is a new set of Snort GPLv2 Community Rules posted. Downloading file 'community-rules.tar.gz'... Snort GPLv2 Community Rules file download failed. Server returned error 0. The error text was: SSL certificate problem: unable to get local issuer certificate Snort GPLv2 Community Rules will not be updated. Downloading Emerging Threats Open rules md5 file emerging.rules.tar.gz.md5... Checking Emerging Threats Open rules md5 file... There is a new set of Emerging Threats Open rules posted. Downloading file 'emerging.rules.tar.gz'... Starting rules update... Time: 2016-04-05 16:24:09 Downloading Snort VRT rules md5 file snortrules-snapshot-2980.tar.gz.md5... Checking Snort VRT rules md5 file... There is a new set of Snort VRT rules posted. Downloading file 'snortrules-snapshot-2980.tar.gz'... Snort VRT rules file download failed. Server returned error 0. The error text was: SSL certificate problem: unable to get local issuer certificate Snort VRT rules will not be updated. Downloading Snort OpenAppID detectors md5 file snort-openappid.tar.gz.md5... Checking Snort OpenAppID detectors md5 file... There is a new set of Snort OpenAppID detectors posted. Downloading file 'snort-openappid.tar.gz'... Snort OpenAppID detectors file download failed. Server returned error 0. The error text was: SSL certificate problem: unable to get local issuer certificate Snort OpenAppID detectors will not be updated. Downloading Snort GPLv2 Community Rules md5 file community-rules.tar.gz.md5... Checking Snort GPLv2 Community Rules md5 file... There is a new set of Snort GPLv2 Community Rules posted. Downloading file 'community-rules.tar.gz'... Snort GPLv2 Community Rules file download failed. Server returned error 0. The error text was: SSL certificate problem: unable to get local issuer certificate Snort GPLv2 Community Rules will not be updated. Downloading Emerging Threats Open rules md5 file emerging.rules.tar.gz.md5... Checking Emerging Threats Open rules md5 file... There is a new set of Emerging Threats Open rules posted. Downloading file 'emerging.rules.tar.gz'... Done downloading rules file. Extracting and installing Emerging Threats Open rules... Installation of Emerging Threats Open rules completed. Copying new config and map files... Updating rules configuration for: WAN ... Updating rules configuration for: LAN ... The Rules update has finished. Time: 2016-04-05 16:27:59 Starting rules update... Time: 2016-04-05 18:23:56 Downloading Snort VRT rules md5 file snortrules-snapshot-2980.tar.gz.md5... Checking Snort VRT rules md5 file... There is a new set of Snort VRT rules posted. Downloading file 'snortrules-snapshot-2980.tar.gz'... Snort VRT rules file download failed. Server returned error 0. The error text was: SSL certificate problem: unable to get local issuer certificate Snort VRT rules will not be updated. Downloading Snort OpenAppID detectors md5 file snort-openappid.tar.gz.md5... Checking Snort OpenAppID detectors md5 file... There is a new set of Snort OpenAppID detectors posted. Downloading file 'snort-openappid.tar.gz'... Snort OpenAppID detectors file download failed. Server returned error 0. The error text was: SSL certificate problem: unable to get local issuer certificate Snort OpenAppID detectors will not be updated. Downloading Snort GPLv2 Community Rules md5 file community-rules.tar.gz.md5... Checking Snort GPLv2 Community Rules md5 file... There is a new set of Snort GPLv2 Community Rules posted. Downloading file 'community-rules.tar.gz'... Snort GPLv2 Community Rules file download failed. Server returned error 0. The error text was: SSL certificate problem: unable to get local issuer certificate Snort GPLv2 Community Rules will not be updated. Downloading Emerging Threats Open rules md5 file emerging.rules.tar.gz.md5... Checking Emerging Threats Open rules md5 file... Emerging Threats Open rules are up to date. The Rules update has finished. Time: 2016-04-05 18:27:08 Starting rules update... Time: 2016-04-06 00:05:00 Downloading Snort VRT rules md5 file snortrules-snapshot-2980.tar.gz.md5... Checking Snort VRT rules md5 file... There is a new set of Snort VRT rules posted. Downloading file 'snortrules-snapshot-2980.tar.gz'... Snort VRT rules file download failed. Server returned error 0. The error text was: SSL certificate problem: unable to get local issuer certificate Snort VRT rules will not be updated. Downloading Snort OpenAppID detectors md5 file snort-openappid.tar.gz.md5... Checking Snort OpenAppID detectors md5 file... There is a new set of Snort OpenAppID detectors posted. Downloading file 'snort-openappid.tar.gz'... Snort OpenAppID detectors file download failed. Server returned error 0. The error text was: SSL certificate problem: unable to get local issuer certificate Snort OpenAppID detectors will not be updated. Downloading Snort GPLv2 Community Rules md5 file community-rules.tar.gz.md5... Checking Snort GPLv2 Community Rules md5 file... There is a new set of Snort GPLv2 Community Rules posted. Downloading file 'community-rules.tar.gz'... Snort GPLv2 Community Rules file download failed. Server returned error 0. The error text was: SSL certificate problem: unable to get local issuer certificate Snort GPLv2 Community Rules will not be updated. Downloading Emerging Threats Open rules md5 file emerging.rules.tar.gz.md5... Checking Emerging Threats Open rules md5 file... Emerging Threats Open rules are up to date. The Rules update has finished. Time: 2016-04-06 00:08:17 Starting rules update... Time: 2016-04-06 09:59:35 Downloading Snort VRT rules md5 file snortrules-snapshot-2980.tar.gz.md5... Checking Snort VRT rules md5 file... There is a new set of Snort VRT rules posted. Downloading file 'snortrules-snapshot-2980.tar.gz'... Snort VRT rules file download failed. Server returned error 0. The error text was: SSL certificate problem: unable to get local issuer certificate Snort VRT rules will not be updated. Downloading Snort OpenAppID detectors md5 file snort-openappid.tar.gz.md5... Checking Snort OpenAppID detectors md5 file... There is a new set of Snort OpenAppID detectors posted. Downloading file 'snort-openappid.tar.gz'... Snort OpenAppID detectors file download failed. Server returned error 0. The error text was: SSL certificate problem: unable to get local issuer certificate Snort OpenAppID detectors will not be updated. Downloading Snort GPLv2 Community Rules md5 file community-rules.tar.gz.md5... Checking Snort GPLv2 Community Rules md5 file... There is a new set of Snort GPLv2 Community Rules posted. Downloading file 'community-rules.tar.gz'... Snort GPLv2 Community Rules file download failed. Server returned error 0. The error text was: SSL certificate problem: unable to get local issuer certificate Snort GPLv2 Community Rules will not be updated. Downloading Emerging Threats Open rules md5 file emerging.rules.tar.gz.md5... Checking Emerging Threats Open rules md5 file... There is a new set of Emerging Threats Open rules posted. Downloading file 'emerging.rules.tar.gz'... Starting rules update... Time: 2016-04-06 10:10:24 Downloading Snort VRT rules md5 file snortrules-snapshot-2980.tar.gz.md5... Checking Snort VRT rules md5 file... There is a new set of Snort VRT rules posted. Downloading file 'snortrules-snapshot-2980.tar.gz'... Snort VRT rules file download failed. Server returned error 0. The error text was: SSL certificate problem: unable to get local issuer certificate Snort VRT rules will not be updated. Downloading Snort OpenAppID detectors md5 file snort-openappid.tar.gz.md5... Checking Snort OpenAppID detectors md5 file... There is a new set of Snort OpenAppID detectors posted. Downloading file 'snort-openappid.tar.gz'... Snort OpenAppID detectors file download failed. Server returned error 0. The error text was: SSL certificate problem: unable to get local issuer certificate Snort OpenAppID detectors will not be updated. Downloading Snort GPLv2 Community Rules md5 file community-rules.tar.gz.md5... Checking Snort GPLv2 Community Rules md5 file... There is a new set of Snort GPLv2 Community Rules posted. Downloading file 'community-rules.tar.gz'... Snort GPLv2 Community Rules file download failed. Server returned error 0. The error text was: SSL certificate problem: unable to get local issuer certificate Snort GPLv2 Community Rules will not be updated. Downloading Emerging Threats Open rules md5 file emerging.rules.tar.gz.md5... Checking Emerging Threats Open rules md5 file... There is a new set of Emerging Threats Open rules posted. Downloading file 'emerging.rules.tar.gz'... Starting rules update... Time: 2016-04-06 10:39:21 Downloading Snort VRT rules md5 file snortrules-snapshot-2980.tar.gz.md5... Checking Snort VRT rules md5 file... There is a new set of Snort VRT rules posted. Downloading file 'snortrules-snapshot-2980.tar.gz'... Snort VRT rules file download failed. Server returned error 0. The error text was: SSL certificate problem: unable to get local issuer certificate Snort VRT rules will not be updated. Downloading Snort OpenAppID detectors md5 file snort-openappid.tar.gz.md5... Checking Snort OpenAppID detectors md5 file... There is a new set of Snort OpenAppID detectors posted. Downloading file 'snort-openappid.tar.gz'... Snort OpenAppID detectors file download failed. Server returned error 0. The error text was: SSL certificate problem: unable to get local issuer certificate Snort OpenAppID detectors will not be updated. Downloading Snort GPLv2 Community Rules md5 file community-rules.tar.gz.md5... Checking Snort GPLv2 Community Rules md5 file... There is a new set of Snort GPLv2 Community Rules posted. Downloading file 'community-rules.tar.gz'... Snort GPLv2 Community Rules file download failed. Server returned error 0. The error text was: SSL certificate problem: unable to get local issuer certificate Snort GPLv2 Community Rules will not be updated. Downloading Emerging Threats Open rules md5 file emerging.rules.tar.gz.md5... Checking Emerging Threats Open rules md5 file... There is a new set of Emerging Threats Open rules posted. Downloading file 'emerging.rules.tar.gz'... Done downloading rules file. Extracting and installing Emerging Threats Open rules... Installation of Emerging Threats Open rules completed. Copying new config and map files... Updating rules configuration for: WAN ... Updating rules configuration for: LAN ... The Rules update has finished. Time: 2016-04-06 10:42:39 Starting rules update... Time: 2016-04-06 11:02:46 Downloading Snort VRT rules md5 file snortrules-snapshot-2980.tar.gz.md5... Checking Snort VRT rules md5 file... There is a new set of Snort VRT rules posted. Downloading file 'snortrules-snapshot-2980.tar.gz'... Snort VRT rules file download failed. Server returned error 0. The error text was: SSL certificate problem: unable to get local issuer certificate Snort VRT rules will not be updated. Downloading Snort OpenAppID detectors md5 file snort-openappid.tar.gz.md5... Checking Snort OpenAppID detectors md5 file... There is a new set of Snort OpenAppID detectors posted. Downloading file 'snort-openappid.tar.gz'... Snort OpenAppID detectors file download failed. Server returned error 0. The error text was: SSL certificate problem: unable to get local issuer certificate Snort OpenAppID detectors will not be updated. Downloading Snort GPLv2 Community Rules md5 file community-rules.tar.gz.md5... Checking Snort GPLv2 Community Rules md5 file... There is a new set of Snort GPLv2 Community Rules posted. Downloading file 'community-rules.tar.gz'... Snort GPLv2 Community Rules file download failed. Server returned error 0. The error text was: SSL certificate problem: unable to get local issuer certificate Snort GPLv2 Community Rules will not be updated. Downloading Emerging Threats Open rules md5 file emerging.rules.tar.gz.md5... Checking Emerging Threats Open rules md5 file... Emerging Threats Open rules are up to date. The Rules update has finished. Time: 2016-04-06 11:05:55 Starting rules update... Time: 2016-04-07 00:05:00 Downloading Snort VRT rules md5 file snortrules-snapshot-2980.tar.gz.md5... Checking Snort VRT rules md5 file... There is a new set of Snort VRT rules posted. Downloading file 'snortrules-snapshot-2980.tar.gz'... Done downloading rules file. Downloading Snort OpenAppID detectors md5 file snort-openappid.tar.gz.md5... Checking Snort OpenAppID detectors md5 file... There is a new set of Snort OpenAppID detectors posted. Downloading file 'snort-openappid.tar.gz'... Done downloading rules file. Downloading Snort GPLv2 Community Rules md5 file community-rules.tar.gz.md5... Checking Snort GPLv2 Community Rules md5 file... There is a new set of Snort GPLv2 Community Rules posted. Downloading file 'community-rules.tar.gz'... Done downloading rules file. Downloading Emerging Threats Open rules md5 file emerging.rules.tar.gz.md5... Checking Emerging Threats Open rules md5 file... Emerging Threats Open rules are up to date. Extracting and installing Snort VRT rules... Using Snort VRT precompiled SO rules for FreeBSD-10-0 ... Installation of Snort VRT rules completed. Extracting and installing Snort OpenAppID detectors... Installation of Snort OpenAppID detectors completed. Extracting and installing Snort GPLv2 Community Rules... Installation of Snort GPLv2 Community Rules completed. Copying new config and map files... Updating rules configuration for: WAN ... Updating rules configuration for: LAN ... The Rules update has finished. Time: 2016-04-07 00:10:32Last Update Apr-07 2016 00:10Result: Success -
Again same issue today , today i noticed auto daily snort updated failed , so when i tried manual update same error
Apr 11 18:15:59 php-fpm 12254 /snort/snort_download_updates.php: [Snort] Snort OpenAppID detectors file download failed... server returned error '0'... Apr 11 18:15:59 php-fpm 12254 /snort/snort_download_updates.php: File 'snort-openappid.tar.gz' download attempts: 4 ... Apr 11 18:15:44 php-fpm 12254 /snort/snort_download_updates.php: [Snort] Will retry in 15 seconds... Apr 11 18:15:44 php-fpm 12254 /snort/snort_download_updates.php: [Snort] Rules download error: SSL certificate problem: self signed certificate in certificate chain Apr 11 18:15:29 php-fpm 12254 /snort/snort_download_updates.php: [Snort] Will retry in 15 seconds... Apr 11 18:15:29 php-fpm 12254 /snort/snort_download_updates.php: [Snort] Rules download error: SSL certificate problem: self signed certificate in certificate chain Apr 11 18:15:26 xinetd 26331 Reconfigured: new=0 old=1 dropped=0 (services) Apr 11 18:15:26 xinetd 26331 readjusting service 6969-udp Apr 11 18:15:26 xinetd 26331 Swapping defaults Apr 11 18:15:26 xinetd 26331 Starting reconfiguration Apr 11 18:15:25 check_reload_status Reloading filter Apr 11 18:15:14 php-fpm 12254 /snort/snort_download_updates.php: [Snort] Will retry in 15 seconds... Apr 11 18:15:14 php-fpm 12254 /snort/snort_download_updates.php: [Snort] Rules download error: SSL certificate problem: self signed certificate in certificate chain Apr 11 18:14:59 php-fpm 12254 /snort/snort_download_updates.php: [Snort] Will retry in 15 seconds... Apr 11 18:14:59 php-fpm 12254 /snort/snort_download_updates.php: [Snort] Rules download error: SSL certificate problem: self signed certificate in certificate chain Apr 11 18:14:57 php-fpm 12254 /snort/snort_download_updates.php: [Snort] There is a new set of Snort OpenAppID detectors posted. Downloading snort-openappid.tar.gz... Apr 11 18:14:56 php-fpm 12254 /snort/snort_download_updates.php: [Snort] Snort VRT rules file download failed... server returned error '0'... Apr 11 18:14:56 php-fpm 12254 /snort/snort_download_updates.php: File 'snortrules-snapshot-2980.tar.gz' download attempts: 4 ...Rule Set Name/Publisher MD5 Signature Hash MD5 Signature Date Snort VRT Rules 4be4f08437dbeb15b23fef3f6424b616 Thursday, 07-Apr-16 00:10:16 IST Snort GPLv2 Community Rules 34a4533fb98dd7b144e9619d7517aa3f Thursday, 07-Apr-16 00:10:16 IST Emerging Threats Open Rules d7572b565b38b5ca9c16849b3fefb0d6 Saturday, 09-Apr-16 09:37:26 IST Snort OpenAppID Detectors 52f5e20a3c67f2a4a1b9cbc14c2f02ac Thursday, 07-Apr-16 00:10:16 ISTLast Update Apr-10 2016 00:07Result: FailedVersion 2.3-RC (amd64) built on Wed Apr 06 05:34:38 CDT 2016 FreeBSD 10.3-RELEASE Obtaining update statusName Category Version Actions darkstat net-mgmt 3.1.2_1 iftop net-mgmt 0.17_2 Lightsquid www 3.0.3_1 mailreport mail 3.0_1 pfBlockerNG net 2.0.9_1 RRD_Summary sysutils 1.3.1_2 snort security 3.2.9.1_10 squid www 0.4.16_2 squidGuard www 1.14_2 syslog-ng sysutils 1.1.2_2maybe because of this snort is not blocking threat
Interface Settings Overview Interface Snort Status Pattern Match Blocking Barnyard2 Status Description Actions WAN LOWMEM ENABLED DISABLED WAN LAN LOWMEM ENABLED DISABLED LANAlerts
Interface to Inspect WAN
Date Pri Proto Class Source IP SPort Destination IP DPort SID Description 04/11/16 18:20:25 1 TCP A Network Trojan was Detected 192.168.2.2 23872 123.125.114.8 80 1:2010066 ET POLICY Data POST to an image file (gif)In snort LAN interface its originating from android phone
but snort is not blocking the threat
Last 500 Hosts Blocked by Snort # IP Alert Descriptions and Event Times Remove There are currently no hosts being blocked by Snort.IP address info showing the IP from china
http://www.infobyip.com/ip-123.125.114.8.htmlhttps://www.virustotal.com/en/ip-address/123.125.114.8/information/ -
You are having an SSL cURL error:
Apr 11 18:14:59 php-fpm 12254 /snort/snort_download_updates.php: [Snort] Rules download error: SSL certificate problem: self signed certificate in certificate chainMaybe you need to make an exception in squid? It's failing on a "self-signed certificate".
-
As BBcan177 stated, you have a problem with the SSL certificate chain on that firewall and not a Snort package problem. Your update errors are not Snort related. You have a broken SSL certificate chain. The error message plainly states that as well.
Bill
-
i updated my firewall proxy rule and now its working , will check few days
btw in system logs i find
Apr 12 11:08:25 snort 98430 WARNING: /usr/local/etc/snort/snort_11346_em0/rules/snort.rules(890) threshold (in rule) is deprecated; use detection_filter instead.Apr 12 11:08:25 snort 97987 WARNING: /usr/local/etc/snort/snort_21557_ste0/rules/snort.rules(1131) threshold (in rule) is deprecated; use detection_filter instead. Apr 12 11:08:25 snort 97987 Initializing rule chains... -
Still facing issue with blocking offenders
Last 250 Alert Log Entries Date Pri Proto Class Source IP SPort Destination IP DPort SID Description 04/12/16 13:30:39 1 TCP Potential Corporate Privacy Violation 192.168.2.2 4577 54.230.191.47 80 1:2012247 ET P2P BTWebClient UA uTorrent in use 04/12/16 13:26:07 1 UDP Potential Corporate Privacy Violation 192.168.2.2 42180 188.183.144.164 26363 1:2008581 ET P2P BitTorrent DHT ping request 04/12/16 13:19:00 1 UDP Potential Corporate Privacy Violation 192.168.2.2 32733 110.55.67.168 34242 1:2008581 ET P2P BitTorrent DHT ping request 04/12/16 12:30:37 1 TCP Potential Corporate Privacy Violation 192.168.2.2 12010 54.230.191.192 80 1:2012247 ET P2P BTWebClient UA uTorrent in use 04/12/16 12:09:14 1 UDP Potential Corporate Privacy Violation 192.168.2.2 44624 195.154.8.133 6881 1:2008581 ET P2P BitTorrent DHT ping request 04/12/16 11:43:00 1 TCP Potential Corporate Privacy Violation 192.168.2.2 24472 54.230.191.163 80 1:2012247 ET P2P BTWebClient UA uTorrent in use 04/12/16 11:30:38 1 TCP Potential Corporate Privacy Violation 192.168.2.2 3136 54.230.191.169 80 1:2012247 ET P2P BTWebClient UA uTorrent in use 04/12/16 11:08:37 1 UDP Potential Corporate Privacy Violation 192.168.2.2 45122 91.121.96.123 51413 1:2008581 ET P2P BitTorrent DHT ping request 04/12/16 10:30:47 1 TCP Potential Corporate Privacy Violation 192.168.2.2 22779 54.230.190.172 80 1:2012247 ET P2P BTWebClient UA uTorrent in use 04/12/16 10:30:46 1 TCP Potential Corporate Privacy Violation 192.168.2.2 48540 80.94.76.5 80 1:2012247 ET P2P BTWebClient UA uTorrent in use 04/12/16 10:30:46 1 TCP Potential Corporate Privacy Violation 192.168.2.2 31562 82.221.103.245 80 1:2012247 ET P2P BTWebClient UA uTorrent in use 04/12/16 10:30:45 1 TCP Potential Corporate Privacy Violation 192.168.2.2 44123 54.230.190.167 80 1:2012247 ET P2P BTWebClient UA uTorrent in use 04/12/16 10:30:45 1 TCP Potential Corporate Privacy Violation 192.168.2.2 47535 173.254.195.58 80 1:2012247 ET P2P BTWebClient UA uTorrent in use 04/12/16 10:30:45 1 TCP Potential Corporate Privacy Violation 192.168.2.2 60572 54.230.191.159 80 1:2012247 ET P2P BTWebClient UA uTorrent in use 04/12/16 10:30:45 1 TCP Potential Corporate Privacy Violation 192.168.2.2 39180 80.94.76.5 80 1:2012247 ET P2P BTWebClient UA uTorrent in use 04/12/16 10:30:40 1 TCP Potential Corporate Privacy Violation 192.168.2.2 18747 54.230.191.163 80 1:2012247 ET P2P BTWebClient UA uTorrent in use 04/12/16 10:30:38 1 TCP Potential Corporate Privacy Violation 192.168.2.2 29431 52.84.198.229 80 1:2012247 ET P2P BTWebClient UA uTorrent in use 04/12/16 10:30:37 1 TCP Potential Corporate Privacy Violation 192.168.2.2 40167 111.119.17.254 80 1:2012247 ET P2P BTWebClient UA uTorrent in use 04/12/16 10:30:37 1 TCP Potential Corporate Privacy Violation 192.168.2.2 12509 111.119.17.253 80 1:2012247 ET P2P BTWebClient UA uTorrent in use 04/12/16 10:30:22 1 TCP Potential Corporate Privacy Violation 192.168.2.2 9461 67.215.246.203 80 1:2012247 ET P2P BTWebClient UA uTorrent in use 04/12/16 10:30:22 1 TCP Potential Corporate Privacy Violation 192.168.2.2 48950 173.254.195.58 80 1:2012247 ET P2P BTWebClient UA uTorrent in use 04/12/16 09:40:04 1 TCP Potential Corporate Privacy Violation 192.168.2.2 5448 111.119.17.253 80 1:2012247 ET P2P BTWebClient UA uTorrent in use 04/12/16 09:40:04 1 TCP Potential Corporate Privacy Violation 192.168.2.2 39642 111.119.17.254 80 1:2012247 ET P2P BTWebClient UA uTorrent in use 04/12/16 09:39:57 1 TCP Potential Corporate Privacy Violation 192.168.2.2 52213 67.215.246.203 80 1:2012247 ET P2P BTWebClient UA uTorrent in use 04/12/16 09:39:57 1 TCP Potential Corporate Privacy Violation 192.168.2.2 41794 54.230.190.172 80 1:2012247 ET P2P BTWebClient UA uTorrent in use 04/12/16 09:39:57 1 TCP Potential Corporate Privacy Violation 192.168.2.2 29484 80.94.76.5 80 1:2012247 ET P2P BTWebClient UA uTorrent in use 04/12/16 09:39:57 1 TCP Potential Corporate Privacy Violation 192.168.2.2 53677 67.215.246.203 80 1:2012247 ET P2P BTWebClient UA uTorrent in use 04/12/16 09:39:56 1 TCP Potential Corporate Privacy Violation 192.168.2.2 29777 173.254.195.58 80 1:2012247 ET P2P BTWebClient UA uTorrent in use 04/12/16 09:39:56 1 TCP Potential Corporate Privacy Violation 192.168.2.2 11758 111.119.17.254 80 1:2012247 ET P2P BTWebClient UA uTorrent in use 04/12/16 09:39:56 1 TCP Potential Corporate Privacy Violation 192.168.2.2 40463 54.230.191.169 80 1:2012247 ET P2P BTWebClient UA uTorrent in use 04/12/16 09:39:55 1 TCP Potential Corporate Privacy Violation 192.168.2.2 56369 80.94.76.5 80 1:2012247 ET P2P BTWebClient UA uTorrent in use 04/12/16 09:39:49 1 TCP Potential Corporate Privacy Violation 192.168.2.2 61210 54.230.191.18 80 1:2012247 ET P2P BTWebClient UA uTorrent in use 04/12/16 09:39:49 1 TCP Potential Corporate Privacy Violation 192.168.2.2 3696 54.230.190.237 80 1:2012247 ET P2P BTWebClient UA uTorrent in use 04/12/16 09:39:48 1 TCP Potential Corporate Privacy Violation 192.168.2.2 59978 52.84.198.229 80 1:2012247 ET P2P BTWebClient UA uTorrent in use 04/12/16 09:39:47 1 TCP Potential Corporate Privacy Violation 192.168.2.2 54855 111.119.17.254 80 1:2012247 ET P2P BTWebClient UA uTorrent in use 04/12/16 09:39:47 1 UDP Potential Corporate Privacy Violation 192.168.2.2 50163 58.182.0.93 11101 1:2008581 ET P2P BitTorrent DHT ping request 04/11/16 19:07:35 1 TCP Potential Corporate Privacy Violation 192.168.2.2 27886 54.230.191.75 80 1:2012247 ET P2P BTWebClient UA uTorrent in use 04/11/16 18:53:29 1 TCP A Network Trojan was Detected 192.168.2.2 58238 123.125.114.8 80 1:2010066 ET POLICY Data POST to an image file (gif) 04/11/16 18:31:05 1 TCP A Network Trojan was Detected 192.168.2.2 36910 123.125.114.8 80 1:2010066 ET POLICY Data POST to an image file (gif) 04/11/16 18:30:31 1 TCP A Network Trojan was Detected 192.168.2.2 61223 123.125.114.8 80 1:2010066 ET POLICY Data POST to an image file (gif) 04/11/16 18:20:25 1 TCP A Network Trojan was Detected 192.168.2.2 23872 123.125.114.8 80 1:2010066 ET POLICY Data POST to an image file (gif)None is blocked
Last 500 Hosts Blocked by Snort # IP Alert Descriptions and Event Times Remove There are currently no hosts being blocked by Snort.all issue started after updating from stable to RC , is there any way to completely wipe and install snort , i already tried reinstall but not worked
-
To totally remove Snort and start with a clean slate, go to the GLOBAL SETTINGS tab and uncheck the box near the bottom for saving settings when uninstalling. That will cause all traces of the Snort configuration to be removed when you uninstall the package. So uncheck this box, save the change, then go to System > Packages and remove the Snort package.
Now when you install the package again, it will be a total green-field install with no previous settings. In other words, everything you had configured in the past will be wiped out in terms of the Snort configuration.
Bill
-
Thank you , now snort is working perfect :) , thank you
-
You are having an SSL cURL error:
Apr 11 18:14:59 php-fpm 12254 /snort/snort_download_updates.php: [Snort] Rules download error: SSL certificate problem: self signed certificate in certificate chainMaybe you need to make an exception in squid? It's failing on a "self-signed certificate".
i have Block rule as shown in pic which allows direct connection , I am using squid with wpad (Non transparent ) so there shouldnt b self signed cert error
Rule Set Name/Publisher MD5 Signature Hash MD5 Signature Date Snort VRT Rules b93880acfbcdd064ad894a1bfb9bc500 Wednesday, 20-Apr-16 00:09:30 IST Snort GPLv2 Community Rules fb7314e7d71c8cd3fcdf821fec9e01bc Friday, 15-Apr-16 14:53:43 IST Emerging Threats Open Rules 8ccb168cfdb2fe0d4a4f805b840e345d Sunday, 24-Apr-16 00:07:15 IST Snort OpenAppID Detectors 6575e2e2d2ae00cfd2d6726538f8deaa Friday, 15-Apr-16 14:53:43 ISTfor me issue started after upgrading to 2.3
then due to this issue i even did a fresh install and still i am facing the same issue on fresh install , help
Time Process PID Message Apr 25 10:00:10 php [pfBlockerNG] No changes to Firewall rules, skipping Filter Reload Apr 25 10:00:00 php [pfBlockerNG] Starting cron process. Apr 25 09:45:23 check_reload_status Syncing firewall Apr 25 09:45:23 php-cgi snort_check_for_rule_updates.php: [Snort] The Rules update has finished. Apr 25 09:45:23 php-cgi snort_check_for_rule_updates.php: [Snort] Removed 0 obsoleted rules category files. Apr 25 09:45:23 php-cgi snort_check_for_rule_updates.php: [Snort] Hide Deprecated Rules is enabled. Removing obsoleted rules categories. Apr 25 09:45:23 php-cgi snort_check_for_rule_updates.php: [Snort] Emerging Threats Open rules are up to date... Apr 25 09:45:22 php-cgi snort_check_for_rule_updates.php: [Snort] Snort GPLv2 Community Rules file download failed... server returned error '0'... Apr 25 09:45:22 php-cgi snort_check_for_rule_updates.php: File 'community-rules.tar.gz' download attempts: 4 ... Apr 25 09:45:07 php-cgi snort_check_for_rule_updates.php: [Snort] Will retry in 15 seconds... Apr 25 09:45:07 php-cgi snort_check_for_rule_updates.php: [Snort] Rules download error: SSL certificate problem: self signed certificate in certificate chain Apr 25 09:44:52 php-cgi snort_check_for_rule_updates.php: [Snort] Will retry in 15 seconds... Apr 25 09:44:52 php-cgi snort_check_for_rule_updates.php: [Snort] Rules download error: SSL certificate problem: self signed certificate in certificate chain Apr 25 09:44:37 php-cgi snort_check_for_rule_updates.php: [Snort] Will retry in 15 seconds... Apr 25 09:44:37 php-cgi snort_check_for_rule_updates.php: [Snort] Rules download error: SSL certificate problem: self signed certificate in certificate chain Apr 25 09:44:22 php-cgi snort_check_for_rule_updates.php: [Snort] Will retry in 15 seconds... Apr 25 09:44:22 php-cgi snort_check_for_rule_updates.php: [Snort] Rules download error: SSL certificate problem: self signed certificate in certificate chain Apr 25 09:44:20 php-cgi snort_check_for_rule_updates.php: [Snort] There is a new set of Snort GPLv2 Community Rules posted. Downloading community-rules.tar.gz... Apr 25 09:44:19 php-cgi snort_check_for_rule_updates.php: [Snort] Snort OpenAppID detectors are up to date... Apr 25 09:44:18 php-cgi snort_check_for_rule_updates.php: [Snort] Snort VRT rules file download failed... server returned error '0'... Apr 25 09:44:18 php-cgi snort_check_for_rule_updates.php: File 'snortrules-snapshot-2980.tar.gz' download attempts: 4 ... Apr 25 09:44:03 php-cgi snort_check_for_rule_updates.php: [Snort] Will retry in 15 seconds... Apr 25 09:44:03 php-cgi snort_check_for_rule_updates.php: [Snort] Rules download error: SSL certificate problem: self signed certificate in certificate chain Apr 25 09:43:48 php-cgi snort_check_for_rule_updates.php: [Snort] Will retry in 15 seconds... Apr 25 09:43:48 php-cgi snort_check_for_rule_updates.php: [Snort] Rules download error: SSL certificate problem: self signed certificate in certificate chain Apr 25 09:43:45 php-cgi servicewatchdog_cron.php: Could not send the message to info@cbdatasource.com -- Error: 535 Incorrect authentication data Apr 25 09:43:33 php-cgi snort_check_for_rule_updates.php: [Snort] Will retry in 15 seconds... Apr 25 09:43:33 php-cgi snort_check_for_rule_updates.php: [Snort] Rules download error: SSL certificate problem: self signed certificate in certificate chain Apr 25 09:43:15 php-cgi snort_check_for_rule_updates.php: [Snort] Will retry in 15 seconds... Apr 25 09:43:15 php-cgi snort_check_for_rule_updates.php: [Snort] Rules download error: SSL certificate problem: self signed certificate in certificate chain Apr 25 09:43:14 php-cgi snort_check_for_rule_updates.php: [Snort] There is a new set of Snort VRT rules posted. Downloading snortrules-snapshot-2980.tar.gz... Apr 25 09:43:07 xinetd 22114 Reconfigured: new=0 old=1 dropped=0 (services)
-
Firewall rules have nothing at all to do with your Snort rules update problem. It is complaining about the certificate trust chain. There either is, or your configuration makes cURL think there is, a self-signed certificate in the chain.
Have you tried removing Squid entirely for a test to see if the rules download then? The Snort code uses the built-in system function cURL() to download updates. That function is called with a parameter set to verify SSL peers (in other words, check the certification trust chain). That check is failing on your system because of the some specific configuration you have. My bet is the problem is with Squid.
Bill
Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.