Snort: No more VRT-Updates? -> Snort-Version too old?

user12

What do you do?
Just accept it for the moment, waiting for an update?

Nachtfalke

I am only using this in my private home environment. I will wait some time. I assume that the maintainer bmeeks will recognize this, too, and will provide a fix. Or it is a problem with snort.org.

stownplayer

same here. I just registered to post about it.  I talked to someone at Snort and got a quick reply. The url pfsense is using is not the right one and needs to be updated. Seems mine is attemping to download 2980 rules, where It should be trying to download 2983 rules. Maybe a good feature where we can manually update?

Bad timing for me I guess. I purchased the upgraded rules a few days ago. lol

bmeeks

My bad for being late on the package update.  Look for this to be fixed in another day or two.  The correct package has been posted for the pfSense team to review and merge.  The long Independence Day weekend here in the U.S. is slowing things down.  I did not post the update for them to review until late this past Friday evening.

Bill

stownplayer

No worries. Thanks for all your hard work. Great product! I use it at home and at the business network I manage. Take it easy and have a happy 4th!

stownplayer

Any Eta on this or any special instructions we need to know about. I still have no updates yet.

stownplayer

another post. Just update snort from packages. There is a squid update as well… unrelated. lol . Thanks

DeeeePIMPact

Worked on 7/12/16 BUT hasn't updated since.  I "Forced Update" and I get a

"Snort GPLv2 Community Rules md5 download failed.
  Server returned error code 0."

Any suggestions?

DeeeePIMPact

Never mind.  I reverted back to a early restore point when I didn't install squid in the last 2 days and snort updates correctly.

I am guessing squid is blocking snort updates, and pfsense packages.

DeeeePIMPact

I figured I'd update this with what turned out to be the actual problem.

It was not SQUID it was PFBLOCKER and a BOGON list I had installed from iBlocklist.com….

PFBLOCKER Bogon list was blocking the SNORT VRT Rules and other updates.  Kind of weird as this hasn't happened before and I've been using these lists for quite sometime...

ohh well...  at least I figured it out :)

bmeeks

@DeeeePIMPact:

I figured I'd update this with what turned out to be the actual problem.

It was not SQUID it was PFBLOCKER and a BOGON list I had installed from iBlocklist.com….

PFBLOCKER Bogon list was blocking the SNORT VRT Rules and other updates.  Kind of weird as this hasn't happened before and I've been using these lists for quite sometime...

ohh well...  at least I figured it out :)

IP addresses can come and go on lists like that.  Every now and then it would not be unexpected for a legitimate site to maybe pickup an IP that was once a bad guy's.  Just like phone numbers can be reused, so to can IP addresses.  That's one issue in my personal view with lists of so-called "bad IP addresses".  They can sometimes get a little stale and block legitimate sites that happened to get assigned one of those formerly bad IP addresses.  Remember, there are no more IPv4 addresses, so the existing pool will keep getting recycled as old sites die and new sites need an IP to come online.

Bill

oddworld19

I, too, am unable to download snort updates.

Specifically, there are two issues:

1. I have unchecked "Click to retain Snort settings after package removal." Then uninstalled, then rebooted, and still Snort remembers my settings (including my oinkmaster code)

2. Ignoring that….. and more importantly, when trying to update VRT rules using snort 3.2.9.1_14, I get the following error. Any ideas?

Starting rules update...  Time: 2016-08-11 22:05:58
	Downloading Snort VRT rules md5 file snortrules-snapshot-2983.tar.gz.md5...
	Checking Snort VRT rules md5 file...
	There is a new set of Snort VRT rules posted.
	Downloading file 'snortrules-snapshot-2983.tar.gz'...
	Snort VRT rules file download failed.  Server returned error 0.
	The error text was: Connection timed out after 15015 milliseconds
	Snort VRT rules will not be updated.
The Rules update has finished.  Time: 2016-08-11 22:07:59

I have tried more than 10 times over the last 3 days.

I run the following packages:

pfblockerNG 2.1.1_1 with TLD features enabled

squid

Squidguard

Machine:
C2758
16 Gigs ECC ram
4 onboard intel NIC
1x PCI-e intel 4 port pro/1000 PT