Suricata Rules download error - pfsense 2.3.3

hilfi2000 · Feb 23, 2017, 10:27 AM

Hi,

I use pfsense 2.3.3 on a fresh installation with suricata.

if i click on update or force update it takes quite a while but no updates are downloaded.
At the system log i see that error:

Feb 23 11:13:14 php /usr/local/pkg/suricata/suricata_check_for_rule_updates.php: [Suricata] Rules download error: Resolving timed out after 10649 milliseconds
Feb 23 11:13:14 php /usr/local/pkg/suricata/suricata_check_for_rule_updates.php: [Suricata] Will retry in 15 seconds…
Feb 23 11:13:40 php /usr/local/pkg/suricata/suricata_check_for_rule_updates.php: [Suricata] Rules download error: Resolving timed out after 10593 milliseconds
Feb 23 11:13:40 php /usr/local/pkg/suricata/suricata_check_for_rule_updates.php: [Suricata] Will retry in 15 seconds…
Feb 23 11:14:06 php /usr/local/pkg/suricata/suricata_check_for_rule_updates.php: [Suricata] Rules download error: Resolving timed out after 10890 milliseconds
Feb 23 11:14:06 php /usr/local/pkg/suricata/suricata_check_for_rule_updates.php: [Suricata] Will retry in 15 seconds…
Feb 23 11:14:32 php /usr/local/pkg/suricata/suricata_check_for_rule_updates.php: [Suricata] Rules download error: Resolving timed out after 10681 milliseconds
Feb 23 11:14:32 php /usr/local/pkg/suricata/suricata_check_for_rule_updates.php: [Suricata] Will retry in 15 seconds…
Feb 23 11:14:47 php /usr/local/pkg/suricata/suricata_check_for_rule_updates.php: File 'emerging.rules.tar.gz.md5' download attempts: 4 ...

At the Update log following:

Starting rules update... Time: 2017-02-23 11:13:04
Downloading Emerging Threats Open rules md5 file emerging.rules.tar.gz.md5...
Emerging Threats Open rules md5 download failed.
Server returned error code 0.
Server error message was: Resolving timed out after 10681 milliseconds
Emerging Threats Open rules will not be updated.
Downloading Snort VRT rules md5 file snortrules-snapshot-2990.tar.gz.md5...
Snort VRT rules md5 download failed.
Server returned error code 0.
Server error message was: Resolving timed out after 11018 milliseconds
Snort VRT rules will not be updated.
The Rules update has finished. Time: 2017-02-23 11:16:29

i have read the following forum contribution, but the solution does not seem to fit my version.

can someone help me please.

Thanks.

HilFi

doktornotor · Feb 23, 2017, 10:32 AM

Your DNS is broken.

hilfi2000 · Feb 23, 2017, 10:36 AM

but i can use the internet from local clients…
you mean really?

doktornotor · Feb 23, 2017, 11:29 AM

Yeah, I mean really. The DNS on pfSense itself is broken. It cannot resolve things. Perhaps configure some DNS servers in System - General. Or untick the "Disable DNS Forwarder" checkbox.

hilfi2000 · Feb 23, 2017, 1:52 PM

Hi,

youre right. The DNS-Forwarder runs only on the LAN Interface. Im still off the opinion that is also right so.

At global settings i used the ins server 8.8.8.8 but is overwritten by pppoe.
It looks as it is only the first dos server entry is used for the update process.
This is 127.0.0.1. But the DNS Forwarder listens only on LAN.

If i changed the Forwarder to listen at all it works.

doktornotor · Feb 23, 2017, 2:01 PM

There's be exactly zero need to do any of that if you simply

unticked the "Disable DNS Forwarder" checkbox
let it listen on localhost

hilfi2000 · Feb 23, 2017, 2:06 PM

if i deactivate the dns forwarder internet doesn't work…

doktornotor · Feb 23, 2017, 2:15 PM

Sigh. Go read the checkbox description a couple more times.

hilfi2000 · Feb 23, 2017, 2:17 PM

Thank you ;)