Snort Updating issue (SSL)

Abhishek

today morning when i checked update status it was all updated

Snort VRT Rules	4be4f08437dbeb15b23fef3f6424b616	Thursday, 07-Apr-16 00:10:16 IST
Snort GPLv2 Community Rules	34a4533fb98dd7b144e9619d7517aa3f	Thursday, 07-Apr-16 00:10:16 IST
Emerging Threats Open Rules	98ab30888e018a8795f1507e8b9f189d	Wednesday, 06-Apr-16 10:42:39 IST
Snort OpenAppID Detectors	52f5e20a3c67f2a4a1b9cbc14c2f02ac	Thursday, 07-Apr-16 00:10:16 IST

Starting rules update...  Time: 2016-04-05 15:08:16
	Downloading Snort VRT rules md5 file snortrules-snapshot-2980.tar.gz.md5...
	Checking Snort VRT rules md5 file...
	There is a new set of Snort VRT rules posted.
	Downloading file 'snortrules-snapshot-2980.tar.gz'...
	Snort VRT rules file download failed.  Server returned error 0.
	The error text was: SSL certificate problem: unable to get local issuer certificate
	Snort VRT rules will not be updated.
	Downloading Snort OpenAppID detectors md5 file snort-openappid.tar.gz.md5...
	Checking Snort OpenAppID detectors md5 file...
	There is a new set of Snort OpenAppID detectors posted.
	Downloading file 'snort-openappid.tar.gz'...
	Snort OpenAppID detectors file download failed.  Server returned error 0.
	The error text was: SSL certificate problem: unable to get local issuer certificate
	Snort OpenAppID detectors will not be updated.
	Downloading Snort GPLv2 Community Rules md5 file community-rules.tar.gz.md5...
	Checking Snort GPLv2 Community Rules md5 file...
	There is a new set of Snort GPLv2 Community Rules posted.
	Downloading file 'community-rules.tar.gz'...
	Snort GPLv2 Community Rules file download failed.  Server returned error 0.
	The error text was: SSL certificate problem: unable to get local issuer certificate
	Snort GPLv2 Community Rules will not be updated.
	Downloading Emerging Threats Open rules md5 file emerging.rules.tar.gz.md5...
	Checking Emerging Threats Open rules md5 file...
	There is a new set of Emerging Threats Open rules posted.
	Downloading file 'emerging.rules.tar.gz'...
Starting rules update...  Time: 2016-04-05 16:24:09
	Downloading Snort VRT rules md5 file snortrules-snapshot-2980.tar.gz.md5...
	Checking Snort VRT rules md5 file...
	There is a new set of Snort VRT rules posted.
	Downloading file 'snortrules-snapshot-2980.tar.gz'...
	Snort VRT rules file download failed.  Server returned error 0.
	The error text was: SSL certificate problem: unable to get local issuer certificate
	Snort VRT rules will not be updated.
	Downloading Snort OpenAppID detectors md5 file snort-openappid.tar.gz.md5...
	Checking Snort OpenAppID detectors md5 file...
	There is a new set of Snort OpenAppID detectors posted.
	Downloading file 'snort-openappid.tar.gz'...
	Snort OpenAppID detectors file download failed.  Server returned error 0.
	The error text was: SSL certificate problem: unable to get local issuer certificate
	Snort OpenAppID detectors will not be updated.
	Downloading Snort GPLv2 Community Rules md5 file community-rules.tar.gz.md5...
	Checking Snort GPLv2 Community Rules md5 file...
	There is a new set of Snort GPLv2 Community Rules posted.
	Downloading file 'community-rules.tar.gz'...
	Snort GPLv2 Community Rules file download failed.  Server returned error 0.
	The error text was: SSL certificate problem: unable to get local issuer certificate
	Snort GPLv2 Community Rules will not be updated.
	Downloading Emerging Threats Open rules md5 file emerging.rules.tar.gz.md5...
	Checking Emerging Threats Open rules md5 file...
	There is a new set of Emerging Threats Open rules posted.
	Downloading file 'emerging.rules.tar.gz'...
	Done downloading rules file.
	Extracting and installing Emerging Threats Open rules...
	Installation of Emerging Threats Open rules completed.
	Copying new config and map files...
	Updating rules configuration for: WAN ...
	Updating rules configuration for: LAN ...
The Rules update has finished.  Time: 2016-04-05 16:27:59

Starting rules update...  Time: 2016-04-05 18:23:56
	Downloading Snort VRT rules md5 file snortrules-snapshot-2980.tar.gz.md5...
	Checking Snort VRT rules md5 file...
	There is a new set of Snort VRT rules posted.
	Downloading file 'snortrules-snapshot-2980.tar.gz'...
	Snort VRT rules file download failed.  Server returned error 0.
	The error text was: SSL certificate problem: unable to get local issuer certificate
	Snort VRT rules will not be updated.
	Downloading Snort OpenAppID detectors md5 file snort-openappid.tar.gz.md5...
	Checking Snort OpenAppID detectors md5 file...
	There is a new set of Snort OpenAppID detectors posted.
	Downloading file 'snort-openappid.tar.gz'...
	Snort OpenAppID detectors file download failed.  Server returned error 0.
	The error text was: SSL certificate problem: unable to get local issuer certificate
	Snort OpenAppID detectors will not be updated.
	Downloading Snort GPLv2 Community Rules md5 file community-rules.tar.gz.md5...
	Checking Snort GPLv2 Community Rules md5 file...
	There is a new set of Snort GPLv2 Community Rules posted.
	Downloading file 'community-rules.tar.gz'...
	Snort GPLv2 Community Rules file download failed.  Server returned error 0.
	The error text was: SSL certificate problem: unable to get local issuer certificate
	Snort GPLv2 Community Rules will not be updated.
	Downloading Emerging Threats Open rules md5 file emerging.rules.tar.gz.md5...
	Checking Emerging Threats Open rules md5 file...
	Emerging Threats Open rules are up to date.
The Rules update has finished.  Time: 2016-04-05 18:27:08

Starting rules update...  Time: 2016-04-06 00:05:00
	Downloading Snort VRT rules md5 file snortrules-snapshot-2980.tar.gz.md5...
	Checking Snort VRT rules md5 file...
	There is a new set of Snort VRT rules posted.
	Downloading file 'snortrules-snapshot-2980.tar.gz'...
	Snort VRT rules file download failed.  Server returned error 0.
	The error text was: SSL certificate problem: unable to get local issuer certificate
	Snort VRT rules will not be updated.
	Downloading Snort OpenAppID detectors md5 file snort-openappid.tar.gz.md5...
	Checking Snort OpenAppID detectors md5 file...
	There is a new set of Snort OpenAppID detectors posted.
	Downloading file 'snort-openappid.tar.gz'...
	Snort OpenAppID detectors file download failed.  Server returned error 0.
	The error text was: SSL certificate problem: unable to get local issuer certificate
	Snort OpenAppID detectors will not be updated.
	Downloading Snort GPLv2 Community Rules md5 file community-rules.tar.gz.md5...
	Checking Snort GPLv2 Community Rules md5 file...
	There is a new set of Snort GPLv2 Community Rules posted.
	Downloading file 'community-rules.tar.gz'...
	Snort GPLv2 Community Rules file download failed.  Server returned error 0.
	The error text was: SSL certificate problem: unable to get local issuer certificate
	Snort GPLv2 Community Rules will not be updated.
	Downloading Emerging Threats Open rules md5 file emerging.rules.tar.gz.md5...
	Checking Emerging Threats Open rules md5 file...
	Emerging Threats Open rules are up to date.
The Rules update has finished.  Time: 2016-04-06 00:08:17

Starting rules update...  Time: 2016-04-06 09:59:35
	Downloading Snort VRT rules md5 file snortrules-snapshot-2980.tar.gz.md5...
	Checking Snort VRT rules md5 file...
	There is a new set of Snort VRT rules posted.
	Downloading file 'snortrules-snapshot-2980.tar.gz'...
	Snort VRT rules file download failed.  Server returned error 0.
	The error text was: SSL certificate problem: unable to get local issuer certificate
	Snort VRT rules will not be updated.
	Downloading Snort OpenAppID detectors md5 file snort-openappid.tar.gz.md5...
	Checking Snort OpenAppID detectors md5 file...
	There is a new set of Snort OpenAppID detectors posted.
	Downloading file 'snort-openappid.tar.gz'...
	Snort OpenAppID detectors file download failed.  Server returned error 0.
	The error text was: SSL certificate problem: unable to get local issuer certificate
	Snort OpenAppID detectors will not be updated.
	Downloading Snort GPLv2 Community Rules md5 file community-rules.tar.gz.md5...
	Checking Snort GPLv2 Community Rules md5 file...
	There is a new set of Snort GPLv2 Community Rules posted.
	Downloading file 'community-rules.tar.gz'...
	Snort GPLv2 Community Rules file download failed.  Server returned error 0.
	The error text was: SSL certificate problem: unable to get local issuer certificate
	Snort GPLv2 Community Rules will not be updated.
	Downloading Emerging Threats Open rules md5 file emerging.rules.tar.gz.md5...
	Checking Emerging Threats Open rules md5 file...
	There is a new set of Emerging Threats Open rules posted.
	Downloading file 'emerging.rules.tar.gz'...
Starting rules update...  Time: 2016-04-06 10:10:24
	Downloading Snort VRT rules md5 file snortrules-snapshot-2980.tar.gz.md5...
	Checking Snort VRT rules md5 file...
	There is a new set of Snort VRT rules posted.
	Downloading file 'snortrules-snapshot-2980.tar.gz'...
	Snort VRT rules file download failed.  Server returned error 0.
	The error text was: SSL certificate problem: unable to get local issuer certificate
	Snort VRT rules will not be updated.
	Downloading Snort OpenAppID detectors md5 file snort-openappid.tar.gz.md5...
	Checking Snort OpenAppID detectors md5 file...
	There is a new set of Snort OpenAppID detectors posted.
	Downloading file 'snort-openappid.tar.gz'...
	Snort OpenAppID detectors file download failed.  Server returned error 0.
	The error text was: SSL certificate problem: unable to get local issuer certificate
	Snort OpenAppID detectors will not be updated.
	Downloading Snort GPLv2 Community Rules md5 file community-rules.tar.gz.md5...
	Checking Snort GPLv2 Community Rules md5 file...
	There is a new set of Snort GPLv2 Community Rules posted.
	Downloading file 'community-rules.tar.gz'...
	Snort GPLv2 Community Rules file download failed.  Server returned error 0.
	The error text was: SSL certificate problem: unable to get local issuer certificate
	Snort GPLv2 Community Rules will not be updated.
	Downloading Emerging Threats Open rules md5 file emerging.rules.tar.gz.md5...
	Checking Emerging Threats Open rules md5 file...
	There is a new set of Emerging Threats Open rules posted.
	Downloading file 'emerging.rules.tar.gz'...
Starting rules update...  Time: 2016-04-06 10:39:21
	Downloading Snort VRT rules md5 file snortrules-snapshot-2980.tar.gz.md5...
	Checking Snort VRT rules md5 file...
	There is a new set of Snort VRT rules posted.
	Downloading file 'snortrules-snapshot-2980.tar.gz'...
	Snort VRT rules file download failed.  Server returned error 0.
	The error text was: SSL certificate problem: unable to get local issuer certificate
	Snort VRT rules will not be updated.
	Downloading Snort OpenAppID detectors md5 file snort-openappid.tar.gz.md5...
	Checking Snort OpenAppID detectors md5 file...
	There is a new set of Snort OpenAppID detectors posted.
	Downloading file 'snort-openappid.tar.gz'...
	Snort OpenAppID detectors file download failed.  Server returned error 0.
	The error text was: SSL certificate problem: unable to get local issuer certificate
	Snort OpenAppID detectors will not be updated.
	Downloading Snort GPLv2 Community Rules md5 file community-rules.tar.gz.md5...
	Checking Snort GPLv2 Community Rules md5 file...
	There is a new set of Snort GPLv2 Community Rules posted.
	Downloading file 'community-rules.tar.gz'...
	Snort GPLv2 Community Rules file download failed.  Server returned error 0.
	The error text was: SSL certificate problem: unable to get local issuer certificate
	Snort GPLv2 Community Rules will not be updated.
	Downloading Emerging Threats Open rules md5 file emerging.rules.tar.gz.md5...
	Checking Emerging Threats Open rules md5 file...
	There is a new set of Emerging Threats Open rules posted.
	Downloading file 'emerging.rules.tar.gz'...
	Done downloading rules file.
	Extracting and installing Emerging Threats Open rules...
	Installation of Emerging Threats Open rules completed.
	Copying new config and map files...
	Updating rules configuration for: WAN ...
	Updating rules configuration for: LAN ...
The Rules update has finished.  Time: 2016-04-06 10:42:39

Starting rules update...  Time: 2016-04-06 11:02:46
	Downloading Snort VRT rules md5 file snortrules-snapshot-2980.tar.gz.md5...
	Checking Snort VRT rules md5 file...
	There is a new set of Snort VRT rules posted.
	Downloading file 'snortrules-snapshot-2980.tar.gz'...
	Snort VRT rules file download failed.  Server returned error 0.
	The error text was: SSL certificate problem: unable to get local issuer certificate
	Snort VRT rules will not be updated.
	Downloading Snort OpenAppID detectors md5 file snort-openappid.tar.gz.md5...
	Checking Snort OpenAppID detectors md5 file...
	There is a new set of Snort OpenAppID detectors posted.
	Downloading file 'snort-openappid.tar.gz'...
	Snort OpenAppID detectors file download failed.  Server returned error 0.
	The error text was: SSL certificate problem: unable to get local issuer certificate
	Snort OpenAppID detectors will not be updated.
	Downloading Snort GPLv2 Community Rules md5 file community-rules.tar.gz.md5...
	Checking Snort GPLv2 Community Rules md5 file...
	There is a new set of Snort GPLv2 Community Rules posted.
	Downloading file 'community-rules.tar.gz'...
	Snort GPLv2 Community Rules file download failed.  Server returned error 0.
	The error text was: SSL certificate problem: unable to get local issuer certificate
	Snort GPLv2 Community Rules will not be updated.
	Downloading Emerging Threats Open rules md5 file emerging.rules.tar.gz.md5...
	Checking Emerging Threats Open rules md5 file...
	Emerging Threats Open rules are up to date.
The Rules update has finished.  Time: 2016-04-06 11:05:55

Starting rules update...  Time: 2016-04-07 00:05:00
	Downloading Snort VRT rules md5 file snortrules-snapshot-2980.tar.gz.md5...
	Checking Snort VRT rules md5 file...
	There is a new set of Snort VRT rules posted.
	Downloading file 'snortrules-snapshot-2980.tar.gz'...
	Done downloading rules file.
	Downloading Snort OpenAppID detectors md5 file snort-openappid.tar.gz.md5...
	Checking Snort OpenAppID detectors md5 file...
	There is a new set of Snort OpenAppID detectors posted.
	Downloading file 'snort-openappid.tar.gz'...
	Done downloading rules file.
	Downloading Snort GPLv2 Community Rules md5 file community-rules.tar.gz.md5...
	Checking Snort GPLv2 Community Rules md5 file...
	There is a new set of Snort GPLv2 Community Rules posted.
	Downloading file 'community-rules.tar.gz'...
	Done downloading rules file.
	Downloading Emerging Threats Open rules md5 file emerging.rules.tar.gz.md5...
	Checking Emerging Threats Open rules md5 file...
	Emerging Threats Open rules are up to date.
	Extracting and installing Snort VRT rules...
	Using Snort VRT precompiled SO rules for FreeBSD-10-0 ...
	Installation of Snort VRT rules completed.
	Extracting and installing Snort OpenAppID detectors...
	Installation of Snort OpenAppID detectors completed.
	Extracting and installing Snort GPLv2 Community Rules...
	Installation of Snort GPLv2 Community Rules completed.
	Copying new config and map files...
	Updating rules configuration for: WAN ...
	Updating rules configuration for: LAN ...
The Rules update has finished.  Time: 2016-04-07 00:10:32

Last Update Apr-07 2016 00:10Result: Success

Abhishek

Again same issue today , today i noticed auto daily snort updated failed , so when i tried manual update same error

Apr 11 18:15:59	php-fpm	12254	/snort/snort_download_updates.php: [Snort] Snort OpenAppID detectors file download failed... server returned error '0'...
Apr 11 18:15:59	php-fpm	12254	/snort/snort_download_updates.php: File 'snort-openappid.tar.gz' download attempts: 4 ...
Apr 11 18:15:44	php-fpm	12254	/snort/snort_download_updates.php: [Snort] Will retry in 15 seconds...
Apr 11 18:15:44	php-fpm	12254	/snort/snort_download_updates.php: [Snort] Rules download error: SSL certificate problem: self signed certificate in certificate chain
Apr 11 18:15:29	php-fpm	12254	/snort/snort_download_updates.php: [Snort] Will retry in 15 seconds...
Apr 11 18:15:29	php-fpm	12254	/snort/snort_download_updates.php: [Snort] Rules download error: SSL certificate problem: self signed certificate in certificate chain
Apr 11 18:15:26	xinetd	26331	Reconfigured: new=0 old=1 dropped=0 (services)
Apr 11 18:15:26	xinetd	26331	readjusting service 6969-udp
Apr 11 18:15:26	xinetd	26331	Swapping defaults
Apr 11 18:15:26	xinetd	26331	Starting reconfiguration
Apr 11 18:15:25	check_reload_status		Reloading filter
Apr 11 18:15:14	php-fpm	12254	/snort/snort_download_updates.php: [Snort] Will retry in 15 seconds...
Apr 11 18:15:14	php-fpm	12254	/snort/snort_download_updates.php: [Snort] Rules download error: SSL certificate problem: self signed certificate in certificate chain
Apr 11 18:14:59	php-fpm	12254	/snort/snort_download_updates.php: [Snort] Will retry in 15 seconds...
Apr 11 18:14:59	php-fpm	12254	/snort/snort_download_updates.php: [Snort] Rules download error: SSL certificate problem: self signed certificate in certificate chain
Apr 11 18:14:57	php-fpm	12254	/snort/snort_download_updates.php: [Snort] There is a new set of Snort OpenAppID detectors posted. Downloading snort-openappid.tar.gz...
Apr 11 18:14:56	php-fpm	12254	/snort/snort_download_updates.php: [Snort] Snort VRT rules file download failed... server returned error '0'...
Apr 11 18:14:56	php-fpm	12254	/snort/snort_download_updates.php: File 'snortrules-snapshot-2980.tar.gz' download attempts: 4 ...

Rule Set Name/Publisher	MD5 Signature Hash	MD5 Signature Date
Snort VRT Rules	4be4f08437dbeb15b23fef3f6424b616	Thursday, 07-Apr-16 00:10:16 IST
Snort GPLv2 Community Rules	34a4533fb98dd7b144e9619d7517aa3f	Thursday, 07-Apr-16 00:10:16 IST
Emerging Threats Open Rules	d7572b565b38b5ca9c16849b3fefb0d6	Saturday, 09-Apr-16 09:37:26 IST
Snort OpenAppID Detectors	52f5e20a3c67f2a4a1b9cbc14c2f02ac	Thursday, 07-Apr-16 00:10:16 IST

Last Update Apr-10 2016 00:07Result: Failed

Version	2.3-RC (amd64) 
built on Wed Apr 06 05:34:38 CDT 2016 
FreeBSD 10.3-RELEASE 

Obtaining update status 

Name	Category	Version	Actions
darkstat	net-mgmt	 3.1.2_1	 
iftop	net-mgmt	 0.17_2	  
Lightsquid	www	 3.0.3_1	 
mailreport	mail	 3.0_1	 
pfBlockerNG	net	 2.0.9_1	  
RRD_Summary	sysutils	 1.3.1_2	 
snort	security	 3.2.9.1_10	  
squid	www	 0.4.16_2	  
squidGuard	www	 1.14_2	 
syslog-ng	sysutils	 1.1.2_2	 

maybe because of this snort is not blocking threat

Interface Settings Overview
 	Interface	Snort Status	Pattern Match	Blocking	Barnyard2 Status	Description	Actions
	WAN	     	LOWMEM	ENABLED	DISABLED 	WAN	 
	LAN	     	LOWMEM	ENABLED	DISABLED 	LAN	 

Alerts

Interface to Inspect  WAN

Date 	Pri 	Proto 	Class 	Source IP	SPort 	Destination IP	DPort 	SID 	Description
04/11/16
18:20:25	1	TCP	A Network Trojan was Detected	192.168.2.2
  	23872	123.125.114.8
  	80	1:2010066
  	ET POLICY Data POST to an image file (gif)

In snort LAN interface its originating from android phone

but snort is not blocking the threat

Last 500 Hosts Blocked by Snort
#	IP	Alert Descriptions and Event Times	Remove
There are currently no hosts being blocked by Snort.

IP address info showing the IP from china

http://www.infobyip.com/ip-123.125.114.8.html

https://www.virustotal.com/en/ip-address/123.125.114.8/information/

BBcan177

You are having an SSL cURL error:

Apr 11 18:14:59	php-fpm	12254	/snort/snort_download_updates.php: [Snort] Rules download error: SSL certificate problem: self signed certificate in certificate chain

Maybe you need to make an exception in squid? It's failing on a "self-signed certificate".

bmeeks

As BBcan177 stated, you have a problem with the SSL certificate chain on that firewall and not a Snort package problem.  Your update errors are not Snort related.  You have a broken SSL certificate chain.  The error message plainly states that as well.

Bill

Abhishek

i updated my firewall proxy rule  and now its working , will check few days

btw in system logs i find

Apr 12 11:08:25	snort	98430	WARNING: /usr/local/etc/snort/snort_11346_em0/rules/snort.rules(890) threshold (in rule) is deprecated; use detection_filter instead.

Apr 12 11:08:25	snort	97987	WARNING: /usr/local/etc/snort/snort_21557_ste0/rules/snort.rules(1131) threshold (in rule) is deprecated; use detection_filter instead.
Apr 12 11:08:25	snort	97987	Initializing rule chains...

Abhishek

Still facing issue with blocking offenders

Last 250 Alert Log Entries
Date 	Pri 	Proto 	Class 	Source IP	SPort 	Destination IP	DPort 	SID 	Description
04/12/16
13:30:39	1	TCP	Potential Corporate Privacy Violation	192.168.2.2
  	4577	54.230.191.47
  	80	1:2012247
  	ET P2P BTWebClient UA uTorrent in use
04/12/16
13:26:07	1	UDP	Potential Corporate Privacy Violation	192.168.2.2
  	42180	188.183.144.164
  	26363	1:2008581
  	ET P2P BitTorrent DHT ping request
04/12/16
13:19:00	1	UDP	Potential Corporate Privacy Violation	192.168.2.2
  	32733	110.55.67.168
  	34242	1:2008581
  	ET P2P BitTorrent DHT ping request
04/12/16
12:30:37	1	TCP	Potential Corporate Privacy Violation	192.168.2.2
  	12010	54.230.191.192
  	80	1:2012247
  	ET P2P BTWebClient UA uTorrent in use
04/12/16
12:09:14	1	UDP	Potential Corporate Privacy Violation	192.168.2.2
  	44624	195.154.8.133
  	6881	1:2008581
  	ET P2P BitTorrent DHT ping request
04/12/16
11:43:00	1	TCP	Potential Corporate Privacy Violation	192.168.2.2
  	24472	54.230.191.163
  	80	1:2012247
  	ET P2P BTWebClient UA uTorrent in use
04/12/16
11:30:38	1	TCP	Potential Corporate Privacy Violation	192.168.2.2
  	3136	54.230.191.169
  	80	1:2012247
  	ET P2P BTWebClient UA uTorrent in use
04/12/16
11:08:37	1	UDP	Potential Corporate Privacy Violation	192.168.2.2
  	45122	91.121.96.123
  	51413	1:2008581
  	ET P2P BitTorrent DHT ping request
04/12/16
10:30:47	1	TCP	Potential Corporate Privacy Violation	192.168.2.2
  	22779	54.230.190.172
  	80	1:2012247
  	ET P2P BTWebClient UA uTorrent in use
04/12/16
10:30:46	1	TCP	Potential Corporate Privacy Violation	192.168.2.2
  	48540	80.94.76.5
  	80	1:2012247
  	ET P2P BTWebClient UA uTorrent in use
04/12/16
10:30:46	1	TCP	Potential Corporate Privacy Violation	192.168.2.2
  	31562	82.221.103.245
  	80	1:2012247
  	ET P2P BTWebClient UA uTorrent in use
04/12/16
10:30:45	1	TCP	Potential Corporate Privacy Violation	192.168.2.2
  	44123	54.230.190.167
  	80	1:2012247
  	ET P2P BTWebClient UA uTorrent in use
04/12/16
10:30:45	1	TCP	Potential Corporate Privacy Violation	192.168.2.2
  	47535	173.254.195.58
  	80	1:2012247
  	ET P2P BTWebClient UA uTorrent in use
04/12/16
10:30:45	1	TCP	Potential Corporate Privacy Violation	192.168.2.2
  	60572	54.230.191.159
  	80	1:2012247
  	ET P2P BTWebClient UA uTorrent in use
04/12/16
10:30:45	1	TCP	Potential Corporate Privacy Violation	192.168.2.2
  	39180	80.94.76.5
  	80	1:2012247
  	ET P2P BTWebClient UA uTorrent in use
04/12/16
10:30:40	1	TCP	Potential Corporate Privacy Violation	192.168.2.2
  	18747	54.230.191.163
  	80	1:2012247
  	ET P2P BTWebClient UA uTorrent in use
04/12/16
10:30:38	1	TCP	Potential Corporate Privacy Violation	192.168.2.2
  	29431	52.84.198.229
  	80	1:2012247
  	ET P2P BTWebClient UA uTorrent in use
04/12/16
10:30:37	1	TCP	Potential Corporate Privacy Violation	192.168.2.2
  	40167	111.119.17.254
  	80	1:2012247
  	ET P2P BTWebClient UA uTorrent in use
04/12/16
10:30:37	1	TCP	Potential Corporate Privacy Violation	192.168.2.2
  	12509	111.119.17.253
  	80	1:2012247
  	ET P2P BTWebClient UA uTorrent in use
04/12/16
10:30:22	1	TCP	Potential Corporate Privacy Violation	192.168.2.2
  	9461	67.215.246.203
  	80	1:2012247
  	ET P2P BTWebClient UA uTorrent in use
04/12/16
10:30:22	1	TCP	Potential Corporate Privacy Violation	192.168.2.2
  	48950	173.254.195.58
  	80	1:2012247
  	ET P2P BTWebClient UA uTorrent in use
04/12/16
09:40:04	1	TCP	Potential Corporate Privacy Violation	192.168.2.2
  	5448	111.119.17.253
  	80	1:2012247
  	ET P2P BTWebClient UA uTorrent in use
04/12/16
09:40:04	1	TCP	Potential Corporate Privacy Violation	192.168.2.2
  	39642	111.119.17.254
  	80	1:2012247
  	ET P2P BTWebClient UA uTorrent in use
04/12/16
09:39:57	1	TCP	Potential Corporate Privacy Violation	192.168.2.2
  	52213	67.215.246.203
  	80	1:2012247
  	ET P2P BTWebClient UA uTorrent in use
04/12/16
09:39:57	1	TCP	Potential Corporate Privacy Violation	192.168.2.2
  	41794	54.230.190.172
  	80	1:2012247
  	ET P2P BTWebClient UA uTorrent in use
04/12/16
09:39:57	1	TCP	Potential Corporate Privacy Violation	192.168.2.2
  	29484	80.94.76.5
  	80	1:2012247
  	ET P2P BTWebClient UA uTorrent in use
04/12/16
09:39:57	1	TCP	Potential Corporate Privacy Violation	192.168.2.2
  	53677	67.215.246.203
  	80	1:2012247
  	ET P2P BTWebClient UA uTorrent in use
04/12/16
09:39:56	1	TCP	Potential Corporate Privacy Violation	192.168.2.2
  	29777	173.254.195.58
  	80	1:2012247
  	ET P2P BTWebClient UA uTorrent in use
04/12/16
09:39:56	1	TCP	Potential Corporate Privacy Violation	192.168.2.2
  	11758	111.119.17.254
  	80	1:2012247
  	ET P2P BTWebClient UA uTorrent in use
04/12/16
09:39:56	1	TCP	Potential Corporate Privacy Violation	192.168.2.2
  	40463	54.230.191.169
  	80	1:2012247
  	ET P2P BTWebClient UA uTorrent in use
04/12/16
09:39:55	1	TCP	Potential Corporate Privacy Violation	192.168.2.2
  	56369	80.94.76.5
  	80	1:2012247
  	ET P2P BTWebClient UA uTorrent in use
04/12/16
09:39:49	1	TCP	Potential Corporate Privacy Violation	192.168.2.2
  	61210	54.230.191.18
  	80	1:2012247
  	ET P2P BTWebClient UA uTorrent in use
04/12/16
09:39:49	1	TCP	Potential Corporate Privacy Violation	192.168.2.2
  	3696	54.230.190.237
  	80	1:2012247
  	ET P2P BTWebClient UA uTorrent in use
04/12/16
09:39:48	1	TCP	Potential Corporate Privacy Violation	192.168.2.2
  	59978	52.84.198.229
  	80	1:2012247
  	ET P2P BTWebClient UA uTorrent in use
04/12/16
09:39:47	1	TCP	Potential Corporate Privacy Violation	192.168.2.2
  	54855	111.119.17.254
  	80	1:2012247
  	ET P2P BTWebClient UA uTorrent in use
04/12/16
09:39:47	1	UDP	Potential Corporate Privacy Violation	192.168.2.2
  	50163	58.182.0.93
  	11101	1:2008581
  	ET P2P BitTorrent DHT ping request
04/11/16
19:07:35	1	TCP	Potential Corporate Privacy Violation	192.168.2.2
  	27886	54.230.191.75
  	80	1:2012247
  	ET P2P BTWebClient UA uTorrent in use
04/11/16
18:53:29	1	TCP	A Network Trojan was Detected	192.168.2.2
  	58238	123.125.114.8
  	80	1:2010066
  	ET POLICY Data POST to an image file (gif)
04/11/16
18:31:05	1	TCP	A Network Trojan was Detected	192.168.2.2
  	36910	123.125.114.8
  	80	1:2010066
  	ET POLICY Data POST to an image file (gif)
04/11/16
18:30:31	1	TCP	A Network Trojan was Detected	192.168.2.2
  	61223	123.125.114.8
  	80	1:2010066
  	ET POLICY Data POST to an image file (gif)
04/11/16
18:20:25	1	TCP	A Network Trojan was Detected	192.168.2.2
  	23872	123.125.114.8
  	80	1:2010066
  	ET POLICY Data POST to an image file (gif)

None is blocked

Last 500 Hosts Blocked by Snort
#	IP	Alert Descriptions and Event Times	Remove
There are currently no hosts being blocked by Snort.

all issue started after updating from stable to RC , is there any way to completely wipe and install snort , i already tried reinstall but not worked

bmeeks

To totally remove Snort and start with a clean slate, go to the GLOBAL SETTINGS tab and uncheck the box near the bottom for saving settings when uninstalling.  That will cause all traces of the Snort configuration to be removed when you uninstall the package.  So uncheck this box, save the change, then go to System > Packages and remove the Snort package.

Now when you install the package again, it will be a total green-field install with no previous settings.  In other words, everything you had configured in the past will be wiped out in terms of the Snort configuration.

Bill

Abhishek

Thank you , now snort is working perfect :) , thank you

Abhishek

@BBcan177:

You are having an SSL cURL error:

Apr 11 18:14:59	php-fpm	12254	/snort/snort_download_updates.php: [Snort] Rules download error: SSL certificate problem: self signed certificate in certificate chain

Maybe you need to make an exception in squid? It's failing on a "self-signed certificate".

i have Block rule as shown in pic which allows direct connection , I am using squid with wpad (Non transparent ) so there shouldnt b self signed cert error

Rule Set Name/Publisher	MD5 Signature Hash	MD5 Signature Date
Snort VRT Rules	b93880acfbcdd064ad894a1bfb9bc500	Wednesday, 20-Apr-16 00:09:30 IST
Snort GPLv2 Community Rules	fb7314e7d71c8cd3fcdf821fec9e01bc	Friday, 15-Apr-16 14:53:43 IST
Emerging Threats Open Rules	8ccb168cfdb2fe0d4a4f805b840e345d	Sunday, 24-Apr-16 00:07:15 IST
Snort OpenAppID Detectors	6575e2e2d2ae00cfd2d6726538f8deaa	Friday, 15-Apr-16 14:53:43 IST

for me issue started after upgrading to 2.3

then due to this issue i even did a fresh install and still i am facing the same issue on fresh install  , help

Time	Process	PID	Message
Apr 25 10:00:10	php		[pfBlockerNG] No changes to Firewall rules, skipping Filter Reload
Apr 25 10:00:00	php		[pfBlockerNG] Starting cron process.
Apr 25 09:45:23	check_reload_status		Syncing firewall
Apr 25 09:45:23	php-cgi		snort_check_for_rule_updates.php: [Snort] The Rules update has finished.
Apr 25 09:45:23	php-cgi		snort_check_for_rule_updates.php: [Snort] Removed 0 obsoleted rules category files.
Apr 25 09:45:23	php-cgi		snort_check_for_rule_updates.php: [Snort] Hide Deprecated Rules is enabled. Removing obsoleted rules categories.
Apr 25 09:45:23	php-cgi		snort_check_for_rule_updates.php: [Snort] Emerging Threats Open rules are up to date...
Apr 25 09:45:22	php-cgi		snort_check_for_rule_updates.php: [Snort] Snort GPLv2 Community Rules file download failed... server returned error '0'...
Apr 25 09:45:22	php-cgi		snort_check_for_rule_updates.php: File 'community-rules.tar.gz' download attempts: 4 ...
Apr 25 09:45:07	php-cgi		snort_check_for_rule_updates.php: [Snort] Will retry in 15 seconds...
Apr 25 09:45:07	php-cgi		snort_check_for_rule_updates.php: [Snort] Rules download error: SSL certificate problem: self signed certificate in certificate chain
Apr 25 09:44:52	php-cgi		snort_check_for_rule_updates.php: [Snort] Will retry in 15 seconds...
Apr 25 09:44:52	php-cgi		snort_check_for_rule_updates.php: [Snort] Rules download error: SSL certificate problem: self signed certificate in certificate chain
Apr 25 09:44:37	php-cgi		snort_check_for_rule_updates.php: [Snort] Will retry in 15 seconds...
Apr 25 09:44:37	php-cgi		snort_check_for_rule_updates.php: [Snort] Rules download error: SSL certificate problem: self signed certificate in certificate chain
Apr 25 09:44:22	php-cgi		snort_check_for_rule_updates.php: [Snort] Will retry in 15 seconds...
Apr 25 09:44:22	php-cgi		snort_check_for_rule_updates.php: [Snort] Rules download error: SSL certificate problem: self signed certificate in certificate chain
Apr 25 09:44:20	php-cgi		snort_check_for_rule_updates.php: [Snort] There is a new set of Snort GPLv2 Community Rules posted. Downloading community-rules.tar.gz...
Apr 25 09:44:19	php-cgi		snort_check_for_rule_updates.php: [Snort] Snort OpenAppID detectors are up to date...
Apr 25 09:44:18	php-cgi		snort_check_for_rule_updates.php: [Snort] Snort VRT rules file download failed... server returned error '0'...
Apr 25 09:44:18	php-cgi		snort_check_for_rule_updates.php: File 'snortrules-snapshot-2980.tar.gz' download attempts: 4 ...
Apr 25 09:44:03	php-cgi		snort_check_for_rule_updates.php: [Snort] Will retry in 15 seconds...
Apr 25 09:44:03	php-cgi		snort_check_for_rule_updates.php: [Snort] Rules download error: SSL certificate problem: self signed certificate in certificate chain
Apr 25 09:43:48	php-cgi		snort_check_for_rule_updates.php: [Snort] Will retry in 15 seconds...
Apr 25 09:43:48	php-cgi		snort_check_for_rule_updates.php: [Snort] Rules download error: SSL certificate problem: self signed certificate in certificate chain
Apr 25 09:43:45	php-cgi		servicewatchdog_cron.php: Could not send the message to info@cbdatasource.com -- Error: 535 Incorrect authentication data
Apr 25 09:43:33	php-cgi		snort_check_for_rule_updates.php: [Snort] Will retry in 15 seconds...
Apr 25 09:43:33	php-cgi		snort_check_for_rule_updates.php: [Snort] Rules download error: SSL certificate problem: self signed certificate in certificate chain
Apr 25 09:43:15	php-cgi		snort_check_for_rule_updates.php: [Snort] Will retry in 15 seconds...
Apr 25 09:43:15	php-cgi		snort_check_for_rule_updates.php: [Snort] Rules download error: SSL certificate problem: self signed certificate in certificate chain
Apr 25 09:43:14	php-cgi		snort_check_for_rule_updates.php: [Snort] There is a new set of Snort VRT rules posted. Downloading snortrules-snapshot-2980.tar.gz...
Apr 25 09:43:07	xinetd	22114	Reconfigured: new=0 old=1 dropped=0 (services)

bmeeks

Firewall rules have nothing at all to do with your Snort rules update problem.  It is complaining about the certificate trust chain.  There either is, or your configuration makes cURL think there is, a self-signed certificate in the chain.

Have you tried removing Squid entirely for a test to see if the rules download then?  The Snort code uses the built-in system function cURL() to download updates.  That function is called with a parameter set to verify SSL peers (in other words, check the certification trust chain).  That check is failing on your system because of the some specific configuration you have.  My bet is the problem is with Squid.

Bill