[solved] Snort Registered User rules download fails

4o4rh

Afraid i am still getting bad checksum, but only on the subscriber rules. others are working fine

Starting rules update... Time: 2019-02-20 00:05:00
Downloading Snort Subscriber rules md5 file snortrules-snapshot-29120.tar.gz.md5...
Checking Snort Subscriber rules md5 file...
There is a new set of Snort Subscriber rules posted.
Downloading file 'snortrules-snapshot-29120.tar.gz'...
Done downloading rules file.
Snort Subscriber rules file download failed. Bad MD5 checksum.
Downloaded Snort Subscriber rules file MD5: ef8d4ba392d098f1e37a34b95d68d143
Expected Snort Subscriber rules file MD5: 68c0c20030c213ef6b3c95ffd3d95e0a
Snort Subscriber rules file download failed. Snort Subscriber rules will

bmeeks

@gwaitsi
I know this is not what you would like to hear, but the problem has to be on your end of the connection. This is working for everyone else so far as I know. My own rules are updating just fine. Where are you located? Your ISP and geolocation may be resulting in you getting routed to an AWS server with a bad copy of that rules file. Snort rules are hosted on Amazon Web Services infrastructure.

Can you go to the Snort.org web site and manually download the rules from there to your PC successfully?

The rules download code is very simple. It first downloads the MD5 checksum file. That file is a very small text file whose content is the MD5 checksum hash of the larger Snort Subscriber Rules tarball. It them compares that MD5 value to the value contained in the last MD5 file your firewall downloaded (in other words, the copy sitting in /usr/local/etc/snort). If the MD5 values do not match, then it downloads the newly posted Snort Subscriber Rules tarball. After downloading that tarball to your firewall in the /tmp directory, it calculates the MD5 checksum of the file it just downloaded. If the calculated value from the downloaded rules tarball does not match the posted MD5 value (downloaded from the Snort site), the code assumes the downloaded tarball is corrupt and thus it prints the error and skips updating those rules.

So in your case either the download of the tarball is actually getting corrupted, or you have some other issue whereby your IP is getting pointed to an older copy of the MD5 checkum file. Are you using any kind of proxy or caching system? If so, make sure any cache is cleaned out.

4o4rh

This post is deleted!

4o4rh

@bmeeks so this is weird, if i look in the system logs i am seeing
Feb 22 00:59:12 kernel pid 18885 (pfctl), uid 0 inumber 30 on /tmp: filesystem full
Feb 22 00:59:19 php-cgi snort_check_for_rule_updates.php: [Snort] Rules download error: Failed writing body (0 != 1122)
Feb 22 00:59:19 kernel pid 66153 (php-cgi), uid 0 inumber 4233 on /tmp: filesystem full

however, system information shows me
/tmp 2% of 38MiB - ufs in RAM

Grimson

https://docs.netgate.com/pfsense/en/latest/book/config/advanced-misc.html#ram-disk-sizes

bmeeks

@gwaitsi

@gwaitsi said in Snort Registered User rules download fails:

@bmeeks so this is weird, if i look in the system logs i am seeing
Feb 22 00:59:12 kernel pid 18885 (pfctl), uid 0 inumber 30 on /tmp: filesystem full
Feb 22 00:59:19 php-cgi snort_check_for_rule_updates.php: [Snort] Rules download error: Failed writing body (0 != 1122)
Feb 22 00:59:19 kernel pid 66153 (php-cgi), uid 0 inumber 4233 on /tmp: filesystem full

however, system information shows me
/tmp 2% of 38MiB - ufs in RAM

This would have been a very valuable piece of information to include with your original post! I've posted on this forum more times than I can count for folks to NEVER use a RAM disk with Snort or Suricata. It usually causes nothing but problems. Your's is the number one problem -- running out of disk space during a rules download. I should have asked about the RAM disk first off. It came to my mind, but I said maybe folks are finally starting to stop using RAM disks what with today's highly reliable SSDs; so I failed to ask.

Either ditch the RAM disk entirely (highly recommended) or else bump up the size for /tmp to at least 256 MB and potentially even 512 MB. Snort needs lots of space on /tmp to download and extract the rules tarball. When it finishes, it cleans up behind itself. That's why the Dashboard is not showing the space used. Snort cleaned up after the failure.

4o4rh

sorry dude, only just noticed the error. Set the ram size to 512mg running like a charm. thanks so much

bmeeks

@gwaitsi said in Snort Registered User rules download fails:

sorry dude, only just noticed the error. Set the ram size to 512mg running like a charm. thanks so much

I still suggest you ditch the RAM disk. That technology was useful back with NanoBSD and early Flash Memory cards. Today's Solid State Disks are plenty reliable. You will run out of other space as well at some point (like logging, potentially). Your RAM would serve you much better if it's available for use by the Snort process and other parts of pfSense as memory and not disk space.

4o4rh

@bmeeks thanks anything, but i will probably see how it goes first. I 512Mb for /tmp and 256Mb for /var at 13% with a 4G system and 64Gb SSD. As it is only for a small home network of a few PCs, mobiles and media boxes, the remaining 3Gb should be more than enough i guess.

chenzomo

I've been battling this as well. Be sure the Oinkcode is correct and without a leading space. Rookie mistake but it happens, drove me crazy for a week. Good luck!