Snort not updating

techbee

I have the latest pfsense version 2.3.4 and when I try to update snort, it is failing update everytime especially the snort vrt rules and openappid and rules detectors.

While in suricata, all are updated.

Any resolution to this ?

UPDATE:

For almost 25 times trying update, snort finally updating but Snort OpenAppID RULES Detectors is not updating. Any resolution to this ?

bmeeks

@techbee:

I have the latest pfsense version 2.3.4 and when I try to update snort, it is failing update everytime especially the snort vrt rules and openappid and rules detectors.

While in suricata, all are updated.

Any resolution to this ?

UPDATE:

For almost 25 times trying update, snort finally updating but Snort OpenAppID RULES Detectors is not updating. Any resolution to this ?

Try temporarily disabling the OpenAppID rules update and see if it will sucessfully update just the Snort VRT rules.  The VRT rules come from an Amazon Web Services host that the Snort folks maintain.  The OpenAppID rules come from an unrelated third-party repository at a Brazilian University.

Do you by chance have pfBlockerNG running as well?  Some of the IP blacklists used there will sometimes "false positive" on the AWS servers and block the Snort rule downloads.  A number of Snort users have seen that issue.

Oh, and I assume you have the most current version of Snort ??? Take a look in the log file on the UPDATES tab and see what the error messages there say.  They may help point you to the issue.

Bill

techbee

Bmeeks,

All are updated now except the SNORT OPENAPPID RULES DETECTORS.  I don't run pfBlockerNG.

Below is the log of the update, it says:

This site has been blocked by the network administrator.
Block reason: Gateway GEO-IP Filter Alert

IP address: my_public_ip

Connection initiated from country: my_country

what to do with this problem?

bmeeks

@techbee:

Bmeeks,

All are updated now except the SNORT OPENAPPID RULES DETECTORS.  I don't run pfBlockerNG.

Below is the log of the update, it says:

This site has been blocked by the network administrator.
Block reason: Gateway GEO-IP Filter Alert

IP address: my_public_ip

Connection initiated from country: my_country

what to do with this problem?

There is your reason right there:

This site has been blocked by the network administrator.
Block reason: Gateway GEO-IP Filter Alert

If you are not the network admin, then you need to seek him or her out.  If you are the network admin, this message should automaticall indicate the problem to you and where to fix it.  In short, your network is configured to block Internet access to the country where the third-party OpenAppID rules are hosted.  Look at my earlier host where I describe that OpenAppID requires two different things.  One is a set of starter files that the Snort VRT provides. But the more important piece to actually make it work is the rules.  Snort VRT intended for users to write their own private rules.  For the pfSense Snort package, a user in Brazil offered to host a repository of OpenAppID rules on a University web site there.  That is probably the site that is triggering the GeoIP alert.  You don't have to use his rules.  You can uncheck that box on the GLOBAL SETTINGS tab and instead write your own OpenAppID rules if you can't get your network settings relaxed a bit so the University site in Brazil is whitelisted.

Bill

techbee

Bmeeks, yes, I am the network admin and I have not blocked any internet access to any country by pfBlockerNG or anything.

On the other hand, how can I do a whitelist for the specific IP or website on that Brazil University ?

BBcan177

Maybe the Brazil website is blocking your GeoIP range?

techbee

what can i do ?

bmeeks

@techbee:

what can i do ?

Here is the raw URL of the University web site in Brazil that is hosting the OpenAppID rules:  http://www.ifs.edu.br/.

See if you can browse directly to it?  If not, then perhaps BBcan177 is correct and that site is blocking your IP by Geo-IP and the web server is returning the message you see.

If they are blocking your country code, then you have only three options:

(1) See if you can contact the admin at the University site and ask them what's going on;
(2) Use a VPN provider such that your request appears to be coming from another country;
(3) Give up on using those rules and create your own OpenAppID rules.

I don't know of any other public OpenAppID rules.

Bill

techbee

Bmeeks,

I have contacted the University through their email, hopefully they will reply something.  On the other hand, I already tried using hotspotshield vpn, I was able to access their website but still did not get the update.

It seems that my location is blacklisted on their firewall and that causes the "Block reason: Gateway GEO-IP Filter Alert"

bmeeks

@techbee:

It seems that my location is blacklisted on their firewall and that causes the "Block reason: Gateway GEO-IP Filter Alert"

Well, unless you can get them to whitelist your IP address; you won't be able to use the OpenAppID feature in the Snort package unless you create some of your own rules.  There are a few examples of user-written OpenAppID rules here in the IDS/IPS sub-forum.  You could try a search for "OpenAppID" to see what turns up.  There are also a few examples to be found with a Google search.

Bill