Snort: No more VRT-Updates? -> Snort-Version too old?



  • Hi,

    since about 3-4 days my Snort VRT-Rules won't Update anymore (I'm using a free Oinkcode).
    In my snort.org-profile I'm also no longer able to download the 2980-Rulesets anymore as they seem to be outdated.

    My question: What can I do, will there soon be newer Version of Snort, so I can properly use it in the future?
    Is there anybody else having this problem?

    Update-Logfile:

    
    Starting rules update...  Time: 2016-07-03 14:09:12
    	Downloading Snort VRT rules md5 file snortrules-snapshot-2980.tar.gz.md5...
    	Snort VRT rules md5 download failed.
    	Server returned error code 422.
    	Server error message was: 
    	Snort VRT rules will not be updated.
    	Downloading Snort OpenAppID detectors md5 file snort-openappid.tar.gz.md5...
    	Checking Snort OpenAppID detectors md5 file...
    	Snort OpenAppID detectors are up to date.
    	Downloading Snort GPLv2 Community Rules md5 file community-rules.tar.gz.md5...
    	Checking Snort GPLv2 Community Rules md5 file...
    	There is a new set of Snort GPLv2 Community Rules posted.
    	Downloading file 'community-rules.tar.gz'...
    	Done downloading rules file.
    	Downloading Emerging Threats Open rules md5 file emerging.rules.tar.gz.md5...
    	Checking Emerging Threats Open rules md5 file...
    	Emerging Threats Open rules are up to date.
    	Extracting and installing Snort GPLv2 Community Rules...
    	Installation of Snort GPLv2 Community Rules completed.
    	Copying new config and map files...
    	Updating rules configuration for: WAN ...
    	Restarting Snort to activate the new set of rules...
    	Snort has restarted with your new set of rules.
    The Rules update has finished.  Time: 2016-07-03 14:09:23
    
    


  • Hi,

    recognized this same behaviour today, too.
    Running the latest snort package available for pfsense.

    Regards



  • What do you do?
    Just accept it for the moment, waiting for an update?



  • I am only using this in my private home environment. I will wait some time. I assume that the maintainer bmeeks will recognize this, too, and will provide a fix. Or it is a problem with snort.org.



  • same here. I just registered to post about it.  I talked to someone at Snort and got a quick reply. The url pfsense is using is not the right one and needs to be updated. Seems mine is attemping to download 2980 rules, where It should be trying to download 2983 rules. Maybe a good feature where we can manually update?

    Bad timing for me I guess. I purchased the upgraded rules a few days ago. lol



  • My bad for being late on the package update.  Look for this to be fixed in another day or two.  The correct package has been posted for the pfSense team to review and merge.  The long Independence Day weekend here in the U.S. is slowing things down.  I did not post the update for them to review until late this past Friday evening.

    Bill



  • No worries. Thanks for all your hard work. Great product! I use it at home and at the business network I manage. Take it easy and have a happy 4th!



  • Any Eta on this or any special instructions we need to know about. I still have no updates yet.



  • another post. Just update snort from packages. There is a squid update as well… unrelated. lol . Thanks



  • Worked on 7/12/16 BUT hasn't updated since.  I "Forced Update" and I get a

    "Snort GPLv2 Community Rules md5 download failed.
      Server returned error code 0."

    Any suggestions?



  • Never mind.  I reverted back to a early restore point when I didn't install squid in the last 2 days and snort updates correctly.

    I am guessing squid is blocking snort updates, and pfsense packages.



  • I figured I'd update this with what turned out to be the actual problem.

    It was not SQUID it was PFBLOCKER and a BOGON list I had installed from iBlocklist.com….

    PFBLOCKER Bogon list was blocking the SNORT VRT Rules and other updates.  Kind of weird as this hasn't happened before and I've been using these lists for quite sometime...

    ohh well...  at least I figured it out :)



  • @DeeeePIMPact:

    I figured I'd update this with what turned out to be the actual problem.

    It was not SQUID it was PFBLOCKER and a BOGON list I had installed from iBlocklist.com….

    PFBLOCKER Bogon list was blocking the SNORT VRT Rules and other updates.  Kind of weird as this hasn't happened before and I've been using these lists for quite sometime...

    ohh well...  at least I figured it out :)

    IP addresses can come and go on lists like that.  Every now and then it would not be unexpected for a legitimate site to maybe pickup an IP that was once a bad guy's.  Just like phone numbers can be reused, so to can IP addresses.  That's one issue in my personal view with lists of so-called "bad IP addresses".  They can sometimes get a little stale and block legitimate sites that happened to get assigned one of those formerly bad IP addresses.  Remember, there are no more IPv4 addresses, so the existing pool will keep getting recycled as old sites die and new sites need an IP to come online.

    Bill



  • I, too, am unable to download snort updates.

    Specifically, there are two issues:

    1. I have unchecked "Click to retain Snort settings after package removal." Then uninstalled, then rebooted, and still Snort remembers my settings (including my oinkmaster code)

    2. Ignoring that….. and more importantly, when trying to update VRT rules using snort 3.2.9.1_14, I get the following error. Any ideas?

    Starting rules update...  Time: 2016-08-11 22:05:58
    	Downloading Snort VRT rules md5 file snortrules-snapshot-2983.tar.gz.md5...
    	Checking Snort VRT rules md5 file...
    	There is a new set of Snort VRT rules posted.
    	Downloading file 'snortrules-snapshot-2983.tar.gz'...
    	Snort VRT rules file download failed.  Server returned error 0.
    	The error text was: Connection timed out after 15015 milliseconds
    	Snort VRT rules will not be updated.
    The Rules update has finished.  Time: 2016-08-11 22:07:59
    

    I have tried more than 10 times over the last 3 days.

    I run the following packages:

    pfblockerNG 2.1.1_1 with TLD features enabled

    squid

    Squidguard

    Machine:
    C2758
    16 Gigs ECC ram
    4 onboard intel NIC
    1x PCI-e intel 4 port pro/1000 PT


Log in to reply