Snort: Won't clear md5 after pfSense update to 2.3.1-RELEASE-p1



  • Hi all, I'm afraid I'm a total novice…
    When I updated to pfSense 2.3.1-RELEASE-p1, Snort->Updates->Update Rules fails.

    The log complains that the md5 sums don't match, but Snort->Updates->Force Update doesn't work either.

    How do I clear the md5s?

    Thanks,

    Smoker



  • You can remove the MD5 checksums themselves, but your error is really saying that after downloading the rules tarball and performing a local MD5 hash calculation on it, that calculated hash is not matching up with what is posted on the vendor's site.  In other words, your downloaded local copy of the rules tarball is corrupt (or Snort thinks it is).

    What kind of install is this?  Is it a NanoBSD installation?  If so, make sure you have at least 250 MB of free space in /tmp (and 512 MB is better).  This is where Snort downloads the tarball and unpacks it prior to installation.  If there is not enough free disk space, things get messed up.

    If you want to wipe out the local MD5 hash that is stored by Snort after a successful rules update, then delete the MD5 files in /usr/local/etc/snort.  Once you do this Snort will then think you have never downloaded rules and when you update it will fetch them again.  Note I doubt this fixes your problem, though.  Your problem is the actual downloaded tarball is not producing the same MD5 hash as that stored on the vendor's site (I assume you are using the Snort VRT rules).  Snort downloads the MD5 hash file from the vendor and then downloads the rules tarball. It calculates the MD5 of the downloaded file and compares it to the small MD5 hash file it got from the vendor.  If those do not match, you get the error you are seeing.

    Bill



  • Thanks Bill, It looks as though there's only ~40MiB in /tmp, so that looks like the problem.

    Yes, it's a NanoBSD running in a flash chip on a LinITX APU 1D. Nice little package, even if the tech is a little old.

    I suppose I may be able to enlarge the /tmp partition.

    Cheers,

    smoker



  • Expect more pain running Snort (or Suricata) on NanoBSD installations.  Both packages need lots of free disk space in /tmp and especially in /var where logs go.  Search the forums for NanoBSD and Snort or Suricata and you will find some of the misery.  I don't recommend runnning either package on NanoBSD. It will sort of work, but you must be diligent about monitoring free disk space on the RAM disks.

    Bill



  • Well, I've temporarily fixed it by modestly increasing the /tmp partition to 96MiB, but I suspect I'll run into problems again soon.
    Slightly irritatingly, unticking System/Advanced/Misc/Use RAMdisks doesn't seem to work on this version of pfSense/nanoBSD, so I can't set it to a partition on the Flash disk.

    It's a shame this little box has only lasted just over a year on my home network, looks like I'll have to buy a bigger one, like a LinITX APU2 C4 4GB. At least that would have enough memory and grunt to cope for a while.

    Thanks for the pointers Bill.

    smoker