Snort Subscriber rules
-
@NogBadTheBad
How to find out from which servers these rules Snort VRT are updated? -
This post is deleted! -
Just force updated my snort subscriber rules, went fine.
Maybe there is something in the snort logs.
Try logging into snort.org to see if your sub has expired.
-
@NogBadTheBad
Rule Set Name/Publisher MD5 Signature Hash MD5 Signature Date
Snort Subscriber Ruleset Not Downloaded Not DownloadedThis after Force Update.
-
@lucas1 said in Snort Subscriber rules:
@NogBadTheBad
Rule Set Name/Publisher MD5 Signature Hash MD5 Signature Date
Snort Subscriber Ruleset Not Downloaded Not DownloadedThis after Force Update.
Something is blocking your download. Look in the actual Snort update log (available on the UPDATES tab) to see if there is specific error message being logged. This generally happens for one of the following reasons:
-
The user is running a RAM disk for /tmp and the RAM disk is not large enough to contain the downloaded rules archive and its unpacked contents;
-
There is a proxy configured and the proxy is blocking or otherwise interfering with the URL connection attempt. Rules updates are done by calling
curl
and simply opening an HTTPS web link. -
Your Oinkcode is expired (but you said you already verified it was not, so this reason may not be impacting you);
-
You have another package installed such as Squidguard, Squid or pfBlockerNG that is interfering with the download connection attempt. This has happened to many users.
It's almost always one of the above problems that is preventing a rules update. A quick search of this sub-forum will confirm what I say. The Snort rules are hosted on AWS infrastructure. Sometimes, a few of the various "bad actor" IP lists that a user may select for a package such as pfBlockerNG will contain some AWS web space. This has been reported in the past, but not recently.
-
-
- How to exactly check the expiration date Oinkcode?
Licensed Sensors
Type Level Sensors End Date Total
free free 1 N/AThis from account snort.
- how to know exactly which servers are upgrading Snort Subscriber Rules?
- In the update log only
Downloading Snort Subscriber rules md5 file snortrules-snapshot-29120.tar.gz.md5...
Snort Subscriber rules md5 download failed.
Server returned error code 422.
Server error message was:
Snort Subscriber rules will not be updated. - I suspect PfBlockerNG, but I do not know either the address or the name of the servers Snort update.
-
@lucas1
Just disconnected Deny IP on WANs and DNSBL PfBlockerNG - did not help.How to write in support Snort?
-
Log into the snort web page and check the subscription there.
-
I understood where to go. I did not understand specifically how to check for subscription expiration
on which tabs and what exactly? -
It was:
Downloading Snort Subscriber rules md5 file snortrules-snapshot-29120.tar.gz.md5...has become:
Downloading Snort Subscriber rules md5 file snortrules-snapshot-29150.tar.gz.md5...
Done downloading rules file.The reason was found by another employee.
It's called try guess. -
@lucas1 said in Snort Subscriber rules:
It was:
Downloading Snort Subscriber rules md5 file snortrules-snapshot-29120.tar.gz.md5...has become:
Downloading Snort Subscriber rules md5 file snortrules-snapshot-29150.tar.gz.md5...
Done downloading rules file.The reason was found by another employee.
It's called try guess.Oh... you were not running the current version of the Snort binary. I assumed you were, so my mistake on that.
The Snort team periodically ages out and discontinues rules support for older Snort versions. The rules are tied to specific binary versions, so you can't use the Snort rules from the 2.9.12 binary with the later 2.9.15 binary.
So the moral of that story is keep your Snort package updated to the current version. I do my best to keep the Snort version in pfSense-RELEASE current so the rules downloads/updates will work.
The 422 HTTP error was the Snort web site's roundabout way of saying that file version your Snort package was requesting was not present.
Now, if you are using Snort Subscriber rules with Suricata, then it is your responsibility to log into the Snort rules web site periodically and check which version is current for the 2.9.x rules. You then have to manually configure Suricata to download the correct version. See this Sticky Post at the top of this forum: https://forum.netgate.com/topic/110325/using-snort-vrt-rules-with-suricata-and-keeping-them-updated. One big warning! DO NOT use the Snort 3.0 rules with Suricata! You will completely break your Suricata installation if you try that. The only way to recover it would be to remove it and install everything fresh again.
Your post was a bit ambiguous as to whether you were running the Snort package or if you were running Suricata and using the Snort rules. I made an assumption that may have been incorrect.